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rejection is appropriate so as to avoid rejecting decoding, because 
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receiving a cipher text E=(ul, u2, v, e) of a plaintext (m) 
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public keys, the device 12 generates a random number (r) and 
calculates (c)=H (ul, u2) and ( v) = (ulXl+CYlu2X2+CY2Vl ) r mod (p) . If 
(v) is 1, this cipher text is deemed accepted, but if (v) is not 1, 
it is deemed rejected, and the rejection is verified to a third 
person . 
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:laims 



Claim(s)] 

Claim 1] The cipher verification approach characterized by verifying a cipher by checking whether the value which generated the random 
lumber r and squared the value V of an original verification type r in the cipher verification approach verified by checking that the received 
;ipher is made justly and that the value of a verification type is set to 1 is set to 1. 

Claim 2] Considering as the big prime factor which divides a clear-cut solution for p to the big prime factor, and divides p-1 for q, Gq is 
nultiplicative-group Zp*. The subgroup of order q shall be expressed, gl and g2 A logarithm considers as the origin of strange Gq and H is 
nade into a general-purpose Hash Function, dispersion of g2 which uses gl as a bottom — (xl, x2, y 1, y2, z) **Zq5 A private key, lxlg 2 
<2mod p of X=g, ly lg2of Y=g y2mod p, and Z=glz mod p (X, Y, Z) are used as a public key. In the code approach to include the cipher E 
3ver Plaintext m - c - as H(ul, u2) mod q - ul=glr mod p and u2=g2r mod p - v=Xr Ycrmod p - three - constructing (ul, u2, v) -- Decode 
person equipment is the cipher verification approach characterized by verifying the justification of a cipher by generating a random number r, 
;alculating c=H(ul, u2) mod q, calculating V=(ulxl+cylu2 x2+cy2v-l) r mod p, and checking that V is equal to 1. 

Claim 3] The cipher verification approach characterized by proving that it is the result of V calculating like r mod p (ulxl+cylu2 x2+cy2v-l) 
.n the cipher verification approach of claim 2 to the random number r which uses zero information certification when not equal to 1, and has V 
;o a third party. 

Claim 4] Shall consider as the big prime factor which divides a clear-cut solution for p to the big prime factor, and divides p-1 for q, and Gq 
>hall express the subgroup of the order q of a multiplicative group Zp. Make gl and g2 into the origin of Gq, make H into a general-purpose 
Hash Function, and n persons' decode person is set to Pl-Pn. Each decode person Pj has the open value wj of a proper, and is **(xl, x2, yl, y2, 
i) Zq5. Distribute with the secrecy variational method of threshold t which fills 3 t<n, and are obtained. The secrecy value (x2 j and yl j, y2 
<lj, j, zj) corresponding to a value wj is used as the decode person's Pj private key. Xj=glxlj g2 x2j mod p, Yj=glylj g2y2j mod p, and 
Zj=glzjmod p (Xj, Yj, Zj) are used as the decode person's Pj public key. A safe channel shall be between each decode person equipment. 
Moreover, each decode person equipment Receiving a content with other all the members' same decode person equipment shall use the 
broadcast mold channel guaranteed. The decode person Pj shall hold the secrecy value rj corresponding to a value wj which distributes random- 
number r**Zq with the secrecy variational method of threshold t, and is acquired. Ef (ul, u2, v, e) is made into the cipher of the plaintext m 
which used lxlg 2 x2modp of X=g, ly lg2of Y=g y2mod p, and Z=glz mod p as the public key. When a right cipher satisfies ul=glr mod p, 
u2=g2r mod p, c=H (ul, u2), v=Xr Ycrmod p, and e=mZr mod p, The equipment of each decode person Pj who received E calculates c=H (ul, 
u2). Vj=(ulxl j+cylju2 x2j+cy2jv-l) rjmod p is calculated. Distribute Vj with a verifiable secrecy variational method 2t or less more than 
threshold t, and are obtained. The equipment of the decode person Pk who transmitted the secrecy value Vjk corresponding to a value wk 
through the channel safe for each decode person's Pk equipment, and received Vjk from all other decode person equipments Vkj to which the 
equipment of each decode person Pj who transmitted Vk to all other decode person equipments, and received Vk corresponds according to a 
broadcast mold channel is transmitted to all other decode person equipments according to a broadcast mold channel. Each decode person 
equipment is verified using all Vkj(s) to which each Vk received that it was a right value. Choose 2t+l piece among the right and checked Vk, 
and it investigates whether the value V restored with the secrecy restoration procedure to exponent part is equal to 1. If equal and a restoration 
value is [ a secrecy restoration procedure is similarly repeated in other 2t+l piece combination and ] all equal to 1 about no combination The 
cipher verification approach characterized by judging that the cipher is inaccurate, and judging the cipher to be the right if there is combination 
set to 1 at least one. 

[Claim 5] In the cipher verification approach of claim 4, if the above-mentioned cipher is judged to be the right, w will be used as the n-th root 
of 1 in mod q. Each decode person equipment Set wj to wj-1 mod q and it considers as the characteristic value of disclosure of wj which fills 
wj! = l in l<j<n. the dispersion which each decode person's Pj equipment calculates Dj=ulzjmod p, transmits it to all other decode person 
equipments according to a broadcast mold channel, and uses as a bottom ul which received (Dl, --, Dn) -- the cipher verification approach 
characterized by checking that a logarithm is the codeword of a BCH code. 

[Claim 6] Considering as the big prime factor which divides a clear-cut solution for p to the big prime factor, and divides p-1 for q, Gq is 
multiplicative-group Zp*. The subgroup of order q shall be expressed, gl and g2 A logarithm considers as the origin of strange Gq and H is 
made into a general-purpose Hash Function, dispersion of g2 which uses gl as a bottom - (xl, x2, y 1, y2, z) **Zq5 A private key, lxlg 2 
x2mod p of X=g, ly lg2of Y=g y2mod p, and Z=glz mod p (X, Y, Z) are used as a public key. In the code approach to include the cipher E 
over Plaintext m - c -- as H(ul, u2) mod q - ul=glr mod p and u2=g2r mod p -- v=Xr Ycrmod p - three - constructing (ul, u2, v) - Decode 
person equipment generates a random number r, and calculates xl'=xl and rmod q, x2'=x2 and rmod q, y l'=y 1 and rmod q, and y2'=y2 and 
rmod q. The cipher verification approach characterized by verifying the justification of a cipher by calculating c=H(ul, u2) mod q, calculating 
V=ulxl'+cyr u2 x2'+cy2' v-rmod p, and checking that V is equal to 1 from the received cipher. 

[Claim 7] In the cipher verification approach of claim 6 when not equal to 1, V decode person equipment (X, Y, V) It receives that it is (xl, x2, 
y 1 , y2, r). 1 x 1 g 2 x2mod p of X=g, 1 y 1 g2of Y=g y 2mod p, and V=u 1 x 1 r+cy 1 r u2x2r+cy2r satisfying v-rmod p - zero information certification 
-- using (xl, x2, yl, y2), considering as secrecy The cipher verification approach characterized by what is proved to a verification person. 
[Claim 8] It is under Gq whose logarithm is strange, dispersion of h to which g and h use g as a bottom in the cipher verification approach of 



Page 1 of 5 



http://www4jpdl.ncipi.go.jp/cgi-bin/tran_web_cgi_ejje 



5/3/2005 



P.2000-2 1 6774,A [CLAIMS] Page 2 of 5 

laim 7 - decode person equipment Random numbers r, al, a2, bl, and b2 are generated. R=gr ha mod p, RXl=Rxlhalmod p, 
0(2=Rx2ha2mod p, R, RX1, RX2, RY1, and RY2 are exhibited. RYl=Rylhblmod p and RY2=Ry2hb2mod p (X, Y, V, R, RX1, RX2, 
IY1, RY2) receive that it is (xl, x2, y 1, y2, r, a, al, a2, bl, b2). lxlg 2 x2mod p of X=g, ly lg2of Y=g y2mod p, V=ulxlr+cylr u2x2r+cy2r v- 
mod p, R=gr ha mod p, RXl=Rxlhalmod p, RX2=Rx2ha2mod p, RYl=Rylhblmod p, and RY2=Ry2hb2mod p - the cipher verification 
pproach characterized by proving filling relational expression by zero information certification. 

Claim 9] n persons' decode person is set to Pl-Pn in the cipher verification approach of claim 6. Use w as the n-th root of 1 in mod q, and wj is 
et to wj-1 mod q. wj!=l shall be filled in l<j<n and a value wj is assigned to each decode person Pj. The decode person's Pj private key (x2 j 
md yl j, y2 xlj, j, zj) Distribute xl, x2, and (yl, y2, z) with the secrecy variational method of threshold t which fills 3 t<n, and are obtained, 
insider as the secrecy value corresponding to a value wj, and Xj=glxlj g2 x2j mod p, Yj=glylj g2y2j mod p, and Zj=glZjmod p (Xj, Yj, Zj) 
ire used as the decode person's Pj public key. A safe channel shall be between each decode person equipment. Moreover, each decode person 
:quipment Receiving a content with other all the members' same decode person equipment shall use the broadcast mold channel guaranteed. 
The decode person Pj shall hold the secrecy value rj corresponding to a value wj which distributes random-number r**Zq with the secrecy 
variational method of threshold t, and is acquired. Each decode person's Pj equipment Distribute r-xl, r and x2, r-y 1, and r-y2 with the secrecy 
'ariational method of threshold t, respectively, and are obtained. The equipment of each decode person Pj who calculated and held secrecy 
/alue xlj' corresponding to a value wj, x2j', ylj', and y2j' by the distributed multiplication method, and received the cipher c=H (ul, u2) is 
:alculated and Vj=ulxlj*+cylj'u2x2j , +cy2 j'v-rj mod p is calculated. According to a broadcast mold channel Transmit Vj to all other decode 
>erson equipments, and it checks that the exponent part of (VI, --, Vn) is the codeword of a BCH code. The cipher verification approach 
;haracterized by verifying the justification of a cipher by checking that the value V restored with the secrecy restoration procedure to exponent 
)art is equal to 1 . 

Claim 10] In the cipher verification approach of claim 9, 2t<n shall be filled for threshold t. Instead of checking that the exponent part of (VI , 
•-, Vn) is the codeword of a BCH code Each decode person's Pj equipment without leaking the information concerning [ that Vj is as a result 
>f / of u lxl j'+cylj'u2x2j'+cy2 j'v-rj mod p / right count, and ] xlj', x2j', ylj', y2j', and rj The cipher verification approach characterized by 
moving to other decode person equipments, specifying the decode person Pj in whom zero information certification failed as a deviation 
>erson, and other decode person equipments restoring a deviation person's secrecy value xlj', x2j\ ylj', y2j', and rj using secrecy value 
ecovery procedure by zero information certification. 

Claim 11] When (VI, Vn) are not the codewords of a BCH code, in the cipher verification approach of claim 9 each decode person's Pj 
equipment Without leaking the information concerning [ that Vj is as a result of / of ulxlj'+cy Ij'u2x2j'+cy2 j'v-rj mod p / count, and ] xlj', x2j', 
/Ij', y2j\ and rj Prove to other decode person equipments by zero information certification, and the equipment of the decode person Pj who 
railed in certification is specified with a deviation person's equipment. The cipher verification approach characterized by other decode person 
equipments restoring secrecy value xlj' of a deviation person's equipment, x2j', ylj', y2j\ and rj using secrecy value recovery procedure. 
.'Claim 12] the dispersion each decode person's Pj equipment calculates Dj=ulzjmod p, and whose value V which carried out [ above- 
mentioned ] restoration transmits to all other decode person equipments according to a broadcast mold channel, and uses as a bottom ul which 
received (Dl, --, Dn) in the cipher verification approach of claim 9 when equal to 1 - the cipher verification approach characterized by to 
check that a logarithm is the codeword of a BCH code. 

[Claim 13] The restored value V in the cipher verification approach of claim 10 when equal to 1 Without each decode person's Pj equipment 
calculating Dj=ulzjmod p, and leaking the information concerning [ that Dj is as a result of right count, and ] zj The cipher verification 
approach characterized by proving to other decode persons, specifying the decode person Pj who failed in zero information certification as a 
deviation person, and other decode person equipments restoring a deviation person's secrecy value zj using secrecy value recovery procedure 
by zero information certification. 

[Claim 14] It is the cipher verification approach characterized by for the secrecy restoration procedure to the exponent part to which each 
decode person equipment uses ul as a bottom from the right (Dl, -, Dn) in claim 12 or the cipher verification approach of 13 restoring D=ulz 
mod p, calculating m=e/Dmod p, and decoding Plaintext m. 

[Claim 15] Shall consider as the big prime factor which divides a clear-cut solution for p to the big prime factor, and divides p-1 for q, and Gq 
shall express the subgroup of the order p of a multiplicative group Zp. Make gl and g2 into the origin of Gp, make H into a general-purpose 
Hash Function, and it considers as the public key which uses lxlg 2 x2mod p of X=g, ly lg2of Y=g y2modp, and Z=glz mod p for an 
encryption procedure, (x 1 , x2, y 1 , y2, z) * *Zq5 It contains. * * - the cipher [ as opposed to / carry out and / Plaintext m ] E - c - as H(u 1 , u2) 
modp -- u 1 =g 1 r mod p and u2=g2r mod p - v=Xr Ycrmod p - three - constructing (u 1 , u2, v) - The processing which generates a random 
number r, the processing which receives Cipher E, and the processing which calculates c=H(ul, u2) mod q, The record medium which recorded 
the program which makes the computer of decode person equipment perform processing which calculates V=(ulxl+cylu2 x2+cy2v-l) r mod 
p, and processing which checks that it is V= 1 and verifies the justification of a cipher 

[Claim 16] V!=l The processing which will exhibit BC (r) using a bit commitment function (BC) if it becomes, r which constitutes BC (r), xl 
which constitutes public keys X and Y, x2, and y 1 and y2 are used. (ulxl+cylu2 x2+cy2v-l) The record medium characterized by including 
the program which performs processing proved to a third party by zero information certification, without leaking the secrecy concerning [ that 
the result of having performed count which becomes r mod p is V, and ] r, xl, x2, and yl and y2. 

[Claim 17] Shall consider as the big prime factor which divides a clear-cut solution for p to the big prime factor, and divides p-1 for q, and Gq 
shall express the subgroup of the order q of a multiplicative group Zp. Make gl and g2 into the origin of Gq, make H into a general-purpose 
Hash Function, and n persons' decode person is set to Pl-Pn. each decode person Pj -- the open value wj of a proper - having - **(xl, x2, y 1, 
y2, z) Zq5 Distribute with the secrecy variational method of threshold t which fills 3 t<n, and are obtained. The secrecy value (x2 j and yl j, y2 
xlj, j, zj) corresponding to a value wj is used as the decode person's Pj private key. Xj=glxlj g2 x2j mod p, Yj=gly Ij g2y2j mod p, and 
Zj=glzjmod p are used as the decode person's Pj public key. The processing which generates the secrecy value rj corresponding to the value wj 
which distributes random-number r**Zq with the secrecy variational method of threshold t, and is acquired, lxlg 2 x2mod p of X=g^ ly lg2of 
Y=g y2mod p, and Z=glz mod p are used as a public key. It considers as the cipher of Plaintext m. A right cipher ul=glr mod p, u2=g2r mod 
p, c=H (ul, u2), The processing which fills v=Xr Ycrmod p and e=mZr mod p, and receives cipher E= (ul, u2, v, e), The processing which 
calculates c=H (ul, u2), and the processing which calculates Vj=(ulxl j+cylju2 x2j+cy2jv-l) rjmod p, The processing which transmits the 
secrecy value Vjk corresponding to a value wk which distributes Vj with a verifiable secrecy variational method 2t or less more than threshold 
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, and is acquired to each decode person's Pk equipment, The processing which receives Vkj from all other decode person equipments Pk, and 
he processing which transmits Vj to all other decode person equipments, The processing which receives Vk from all other decode person 
equipments, and the processing which transmits Vkj to all other decode person equipments, every ~ with the processing which verifies that Vk 
s a right value using Vkj from all other decode person equipments Choose 2t+l piece among the right and checked Vk, and it investigates 
vhether the value V restored with the secrecy restoration procedure to exponent part is equal to 1 . If equal and a restoration value is [ a secrecy 
estoration procedure is similarly repeated in other 2t+l piece combination and ] all equal to 1 about no combination The record medium which 
ecorded the program which makes the computer of decode person equipment perform processing which judges that the cipher is inaccurate, 
ind will judge the cipher to be the right if there is combination set to 1 at least one. 

Claim 18] Shall consider as the big prime factor which divides a clear-cut solution for p to the big prime factor, and divides p-1 for q, and Gq 
;hall express the subgroup of the order q of a multiplicative group Zp. gl and g2 are made into the origin of Gq, H is made into a general- 
mrpose Hash Function, and it is **(xl, x2, yl, y2, z)Zq5. Private key, lxlg 2 x2mod p of X=g, lylg2of Y=gy2mod p, and Z=glzmod p(X, 
Z) are used as a public key. the cipher E over Plaintext m - c - as H(ul, u2) mod q - ul=glr mod p and u2=g2r mod p - v=Xr Ycrmod p - 
three « constructing (ul, u2, v) - it containing and with the processing which generates a random number r The processing which calculates 
cl -xl and rmod q, x2'=x2 and rmod q, y l'=yl and rmod q, and y2'=y2 and rmod q using Above r, The processing which receives Cipher E, 
ind the processing which calculates c=H(ul , u2) mod q, and calculates V=ulxl'+cy V u2 x2'+cy2' v-rmod p from the received cipher, The 
*ecord medium which recorded the program which makes the computer of decode person equipment perform processing which verifies the 
justification of a cipher when Above V checks that it is equal to 1. 

[Claim 19] In the record medium of claim 18 when not equal to 1, V (X, Y, V) It receives that it is (xl, x2, yl, y2, r). lxlg 2 x2mod p of X=g, 
iylg2of Y=g y2mod p, and V=u lxl r+cylr satisfying u2 x2r+cy2 rv-rmod p - zero information certification - using (xl, x2, yl, y2, r), 
considering as secrecy The record medium characterized by the above-mentioned program including the program which makes the above- 
mentioned computer perform processing proved to a verification person. 

[Claim 20] dispersion of h to which g and h use g as a bottom in the record medium of claim 19 ~ with the processing which is under Gq 
whose logarithm is strange and generates random numbers r, al, a2, bl, and b2 R=gr ha mod p, RXl=Rxlhalmod p, RX2=Rx2ha2mod p, 
RYl=Rylhblmod p and RY2=Ry2hb2mod p - with the processing which exhibits R, RX1, RX2, RY1, and RY2 (X, Y, V, R, RX1, RX2, 
RY 1 , RY2) receive that it is (x 1 , x2, y 1 , y2, r, a, a 1 , a2, b 1 , b2). 1 x 1 g 2 x2mod p of X=g, 1 y 1 g2of Y=g y2mod p, V=u 1 x 1 r+cy 1 r u2x2r+cy2r v- 
rmod p, R=gr ha mod p, RXl=Rxlhalmod p, RX2=Rx2ha2mod p, RYl=Ry lhblmod p, and RY2=Ry2hb2mod p -- the record medium 
characterized by the above-mentioned program including the program which makes the above-mentioned computer perform processing which 
proves filling relational expression by zero information certification. 

[Claim 21] In the record medium of claim 18, set n persons' decode person to Pl-Pn, and w is used as the n-th root of 1 in mod q. Shall set wj 
to wj-1 mod q and wj!=l shall be filled in Kj<n. A value wj is assigned to each decode person Pj. The decode person's Pj private key (x2 j and 
yl j, y2 xlj, j, zj) Distribute xl, x2, and (yl, y2, z) with the secrecy variational method of threshold t which fills 3 t<n, and are obtained. 
Consider as the secrecy value corresponding to a value wj, and Xj=glxlj g2 x2j mod p, Yj=gly lj g2y2j mod p, and Zj=glzjmod p (Xj, Yj, Zj) 
are used as the decode person's Pj public key. Processing holding the secrecy value rj corresponding to a value wj which distributes random- 
number r**Zq with the secrecy variational method of threshold t, and is acquired, The processing which calculates and holds secrecy value xlj' 
corresponding to a value wj which distributes rxl, rx2, ryl, and ry2 with the secrecy variational method of threshold t, respectively, and is 
obtained, x2j\ y lj', and y2j' by the distributed multiplication method, If a cipher is received, c=H (ul, u2) will be calculated and 
Vj=ulxlj'+cylj'u2x2j , +cy2 j'v-rj mod p will be calculated. According to a broadcast mold channel The processing which transmits Vj to all 
other decode person equipments, and the processing which checks that the exponent part of (VI, --, Vn) is the codeword of a BCH code, The 
record medium characterized by the above-mentioned program including the program which performs processing which verifies the 
justification of a cipher by checking that the value V restored with the secrecy restoration procedure to the above-mentioned exponent part is 
equal to 1 by above-mentioned computer. 

[Claim 22] In the record medium of claim 2 1 , 2 t<n shall be filled for threshold t. Instead of the processing which checks that the exponent part 
of (VI, --, Vn) is the codeword of a BCH code Without leaking the information concerning [ that Vj is as a result of / of 
u 1 x 1 j'+cy 1 j'u2x2j'+cy2 j'v-rj mod p / right count, and ] x 1 j', x2j\ y 1 j', y2j', and rj The processing proved to other decode persons by zero 
information certification and the decode person Pj in whom zero information certification failed are specified as a deviation person. The record 
medium characterized by including the program which makes the above-mentioned computer perform a deviation person's secrecy value xlj', 
x2j', y lj', y2j\ and processing that restores rj using secrecy value recovery procedure in the above-mentioned program. 
[Claim 23] In the record medium of claim 21, when (VI, --, Vn) are not the codewords of a BCH code Without leaking the information 
concerning [ that Vj is as a result of / of ulxlj'+cy Ij'u2x2j'+cy2 j'v-rj mod p / count, and ] xlj', x2j\ ylj\ y2j', and rj The processing proved to 
other decode persons by zero information certification and the decode person Pj who failed in the above-mentioned certification are specified 
with a deviation person. The record medium characterized by the above-mentioned program including the program which makes the above- 
mentioned computer perform processing which restores a deviation person's secrecy value xlj', x2j', y lj', y2j', and rj using secrecy value 
recovery procedure. 

[Claim 24] Shall consider as the big prime factor which divides a clear-cut solution for p to the big prime factor, and divides p-1 for q, and Gq 
shall express the subgroup of the order q of a multiplicative group Zp. gl and g2 are made into the origin of Gq, H is made into a general- 
purpose Hash Function, and it is **(xl, x2, y 1, y2, z) Zq5. Private key, lxlg 2 x2mod p of X=g, ly lg2of Y=g y2mod p, and Z=glz mod p (X, 
Y, Z) are used as a public key. It is verification equipment of the cipher to include, the cipher E over Plaintext m - c - as H(ul, u2) mod q - 
ul=glr mod p and u2=g2r mod p - v=Xr Ycrmod p - three - constructing (ul, u2, v) - A means to generate a random number r, and a means 
to calculate c=H(ul, u2) mod q, Cipher verification equipment characterized by having a means to calculate V=(iiixl+cylu2 x2+cy2v-l) r 
mod p, and a means to verify the justification of a cipher when V checks that it is equal to 1 . 

[Claim 25] Cipher verification equipment characterized by having a means to prove that it is the result of V's using zero information 
certification when not equal to 1, and V calculating like r mod p (ulxl+cylu2 x2+cy2v-l) to a random number r in the cipher verification 
equipment of claim 24 for a third party. 

[Claim 26] Shall consider as the big prime factor which divides a clear-cut solution for p to the big prime factor, and divides p-1 for q, and Gq 
shall express the subgroup of the order q of a multiplicative group Zp. Make gl and g2 into the origin of Gq, make H into a general-purpose 
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lash Function, and n persons' decode person is set to Pl-Pn. each decode person Pj - the open value wj of a proper - having - **(xl, x2, yl, 
/2, z) Zq5 Distribute with the secrecy variational method of threshold t which fills 3 t<n, and are obtained. The secrecy value (x2 j and yl j, y2 
<U J» zj) corresponding to a value wj is used as the decode person's Pj private key. Xj=glxlj g2 x2j mod p, Yj=glylj g2y2j mod p, and 
£j=glzjmod p (Xj, Yj, Zj) are used as the decode person's Pj public key. A safe channel shall be between each decode person equipment. 
Moreover, each decode person equipment Receiving a content with other all the members' same decode person equipment shall use the 
>roadcast mold channel guaranteed. The decode person Pj shall hold the secrecy value rj corresponding to a value wj which distributes random- 
lumber r**Zq with the secrecy variational method of threshold t, and is acquired. E= (ul, u2, v, e) is made into the cipher over the plaintext m 
.vhich used lxlg 2 x2modp of X=g, ly lg2of Y=g y2mod p, and Z=glz mod p as the public key. A right cipher ul=glr mod p, u2=g2r modp, 
:=H (ul, u2), A means to be verification equipment of the cipher with which are satisfied of v=Xr Ycrmod p and e=mZr mod p, and to 
;alculate c=H (ul, u2) by receiving E, A means to calculate Vj=(ulxl j+cylju2 x2j+cy2jv-l) rjmod p, Vj is distributed with a verifiable 
secrecy variational method 2t or less more than threshold t. When Vkj is received from a means to acquire the secrecy value Vjk corresponding 
;o a value wk, a means to transmit Vjk through a channel safe for each decode person's Pk equipment, and all other decode person equipments 
Pk, according to a broadcast mold channel If a means to transmit Vj to all other decode person equipments, and Vk are received A means to 
transmit corresponding Vkj to all other decode person equipments according to a broadcast mold channel, every - with a means to verify using 
Vkj that Vk is a right value, and a means to choose 2t+l piece among the right and checked Vk, and to restore V with the secrecy restoration 
procedure to exponent part A means to investigate whether the restored value V is equal to 1, and a means by which will repeat a secrecy 
restoration procedure similarly in other 2t+l piece combination if it becomes, and V investigates [ which is not equal to 1 ] whether V is equal 
to 1, Cipher verification equipment characterized by having a means to judge that the cipher is inaccurate if a restoration value is all equal to 1 
about no 2t+l piece combination, and to judge the cipher to be the right if there is combination set to 1 at least one. 

[Claim 27] w is used as the n-th root of 1 in mod q in the cipher verification equipment of claim 26. Each decode person A means to set wj to 
wj-1 mod q, to consider as the characteristic value of disclosure of wj which fills wj!=l in l<j<n, and to calculate Dj=ulzjmod p, a means to 
transmit Dj to all other decode person equipments according to a broadcast mold channel, and the dispersion which uses as a bottom ul which 
received (Dl, --, Dn) - the cipher verification equipment characterized by having a means to check that a logarithm is the codeword of a BCH 
code. 

[Claim 28] Shall consider as the big prime factor which divides a clear-cut solution for p to the big prime factor, and divides p-1 for q, and Gq 
shall express the subgroup of the order q of a multiplicative group Zp. gl and g2 are made into the origin of Gq, H is made into a general- 
purpose Hash Function, and it is **(xl, x2, y 1, y2, z) Zq5. Private key, lxlg 2 x2mod p of X=g, ly lg2of Y=g y2mod p, and Z=glz mod p (X, 
Y, Z) are used as a public key. It is verification equipment of the cipher to include, the cipher E over Plaintext m c -- as H(ul, u2) mod q - 
ul=glr mod p and u2=g2r mod p - v=Xr Ycrmod p three -- constructing (ul, u2, v) - A means to generate a random number r, and a means 
to calculate xl-xl and rmod q, x2 -x2 and rmod q, yY=y\ and rmod q, and y2'=y2 and rmod q, A means to calculate c=H(ul, u2) mod q from 
the received cipher, Cipher verification equipment characterized by having a means to calculate V=ulxl'+cyr u2 x2'+cy2' v-rmod p, and a 
means to verify the justification of a cipher when V checks that it is equal to 1 from this count result and a receiving cipher. 
[Claim 29] In the cipher verification equipment of claim 28 V when not equal to 1 (X, Y, V) It receives that it is (xl, x2, yl, y2, r). lxlg 2 
x2mod p of X=g, ly lg2of Y=g y2mod p, and V=ulxlr+cy lr u2x2r+cy2r satisfying v-rmod p ~ zero information certification using (xl, x2, 
yl, y2, r), considering as secrecy Cipher verification equipment characterized by having a means to prove to verification person equipment. 
[Claim 30] dispersion of h to which g and h use g as a bottom in the cipher verification equipment of claim 29 -- with a means to be under Gq 
whose logarithm is strange and to generate random numbers r, al, a2, bl, and b2 R=gr ha mod p, RXl=Rxlhalmod p, RX2=Rx2ha2mod p, 
RYl=Rylhblmod p and RY2=Ry2hb2mod p - with a means to exhibit R, RX1, RX2, RY1, and RY2 (X, Y, V, R, RX1, RX2, RY1, RY2) 
receive that it is (xl, x2, y 1, y2, r, a, al, a2, bl, b2). lxlg 2 x2mod p of X=g, lylg2of Y=g y2mod p, V=ulxlr+cylr u2x2r+cy2r v-rmod p, 
R=gr ha mod p, RXl=Rxlhalmod p, RX2=Rx2ha2mod p, RYl=Rylhblmod p, and RY2=Ry2hb2mod p -- the cipher verification equipment 
characterized by having a means to prove filling relational expression by zero information certification. 

[Claim 3 1] n persons' decode person is set to Pl-Pn in the cipher verification equipment of claim 28. Use w as the n-th root of 1 in mod q, and 
wj is set to wj-1 mod q. In l<j<n, shall fill wj!=l and a value wj is assigned to each decode person Pj. (xl, x2, yl, y2, z) **Zq5 Consider as a 
private key and lxlg 2 x2mod p of X=g, lylg2of Y=g y2mod p, and Z=glz mod p are used as a public key. The decode person's Pj private key 
(x2 j and yl j, y2 xlj, j, zj) Distribute xl, x2, and (yl, y2, z) with the secrecy variational method of threshold t which fills 3 t<n, and are 
obtained. Consider as the secrecy value corresponding to a value wj, and Xj=glxlj g2 x2j mod p, Yj=glylj g2y2j mod p, and Zj=glZjmod p 
(Xj, Yj, Zj) are used as the decode person's Pj public key. A safe channel shall be between each decode person equipment. Moreover, each 
decode'person equipment Receiving a content with other all the members' same decode person equipment shall use the broadcast mold channel 
guaranteed, and it distributes random-number r**Zq with the secrecy variational method of threshold t. rxl, rx2, ryl, and ry2 are distributed 
with the secrecy variational method of threshold t with a means to acquire the secrecy value rj corresponding to a value wj, respectively. A 
means to calculate and obtain secrecy value xlj' corresponding to a value wj, x2j', y lj', and y2j' by the distributed multiplication method, About 
the received cipher, according to a means to calculate c=H (ul, u2), a means to calculate Vj=ulxlj'+cy Ij'u2x2j'+cy2 j'v-rj mod p, and a 
broadcast mold channel A means to transmit Vj to all other decode person equipments, and a means to check that the exponent part of (VI , --, 
Vn) is the codeword of a BCH code, Cipher verification equipment characterized by having a means to restore V with the secrecy restoration 
procedure to exponent part, and a means to verify the justification of a cipher by checking that the restored value V is equal to 1. 
[Claim 32] In the cipher verification equipment of claim 3 1, 2 t<n shall be filled for threshold t. Instead of checking that the exponent part of 
(VI , ~, Vn) is the codeword of a BCH code Without leaking the information concerning [ that Vj is as a result of / of ulxlj'+cy Ij'u2x2j'+cy2 
j'v-rj mod p / right count, and ] xlj', x2j', y lj', y2j', and rj Cipher verification equipment characterized by having a means to prove to other 
decode persons by zero information certification. 

[Claim 33] In the cipher verification equipment of claim 31, when (VI, --, Vn) are not the codewords of a BCH code Without leaking the 
information concerning [ that Vj is as a result of / of ulxlj'+cy Ij'u2x2j'+cy2 j'v-rj mod p / count, and ] xlj', x2j', y lj', y2j\ and rj Cipher 
verification equipment which specifies a means to prove to other decode persons by zero information certification, and the decode person Pj 
who failed in the certification with a deviation person, and is characterized by having a deviation person's secrecy value xlj', x2j', ylj', y2j\ and 
a means to restore rj using secrecy value recovery procedure. 
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)ETAILED DESCRIPTION 



Detailed Description of the Invention] 
0001] 

Field of the Invention] This invention relates to the cipher verification approach that a decode person verifies the justification of a cipher 
especially, and its program documentation medium, about the safe code approach that the information about a decode person's private key does 
lot leak; also when the content of a communication link is kept secret when communicating by the electrical-communication system, and the 
content of decode is exhibited. 
;0002] 

."Description of the Prior Art] In a cryptosystem strong against a selection plaintext attack, a decode person verifies that the transmitting person 
)f a cipher knows the original plaintext by a certain approach. A Cramer-Shoup code Paper R.Cramer and V.Shoup:"A practical public key 
;ryptosystem provablysecure against adaptive chosen Were proposed by chipertext attack", Advances in Cryptology-CRYPTO'98 and LNCS 
1462, Springer- Verlag, pp. 13-25, and 1998. It is the public-key-encryption approach that it can prove that it is strong to an accommodative 
selection cipher attack under an assumption which is called existence of a general purpose one direction nature Hash Function and the difficulty 
3f a Diffie-Hellman judging problem and which is believed widely. A Cramer-Shoup code is the code approach supposing one person's decode 
person with one private key corresponding to one public key. 

r 0003] By the Cramer-Shoup code approach that it is already known in the case of the 1 decode person that it is strong to an accommodative 
Selection cipher attack First, choose the big prime factors p and q so that q may divide p-1, and the origin gl and g2 of the subgroup Gq of the 
order q of a multiplicative group Zp is used. It is **(xl, x2, yl, y2, z) Zq5 about a private key. A public key is set to lxlg 2 x2mod p of X=g, 
ly lg2of Y=g y2mod p, and Z=glz mod p. The cipher E over plaintext m**Gq consists of (ul, u2, v, e), and the cipher created correctly 
satisfies ul=glr mod p, u2=g2r mod p, c=H (ul, u2), v=Xr Ycrmod p, and e=mZr mod p to a certain random number r. First, c=H (ul, u2) is 
calculated and it verifies whether a cipher fills verification type ulxl+cylu2 x2+cy2**v (mod p), the decode person who received this cipher 
refuses decode of that cipher, when not filling, when filling, calculates m=e/ulz modp and gets Plaintext m. 

[0004] By the above-mentioned verification type, a decode person can check that the maker of a cipher knows the original plaintext m. Since 
decode is refused to the unjust cipher with which a verification type is not filled, as for an aggressor, information with useful any is not 
acquired, either. However, when refusing decode by this cipher verification approach as a result of verification, it is actually difficult to prove 
the information concerning [ that the cipher verified to the third party does not serve as V!=v (mod p) as inaccurate / 2 (mod p) /, i.e., 
V**ulxl+cylu2 x2+cy, and ] V, without leaking information in any way. 

[0005] Furthermore, by secrecy distribution distributing a corresponding private key to two or more partial private keys to one public key, and 
making this hold to two or more decode persons so that it may often be carried out by an ElGamal cryptosystem etc. As opposed to an unjust 
cipher with which a verification type is not filled in this code decode approach when the decode person of the manpower exceeding a threshold 
cooperates and it applies the decode with a threshold which enables it to decode a cipher Since the count result V of left part ulxl+cylu2 
x2+cy2 of a verification type becomes known to two or more decode persons, when the decode person who conspired with the aggressor exists, 
information is revealed to an aggressor and the safety to a selection cipher attack cannot be maintained. 

[0006] the decode approach with a threshold - paper V.Shoup and R.Gennaro: "Securing threshold cryptosystems against chosen ciphertext 
attack", Advances in Cryptology-EUROCRYPT, 98, LNCS 1403, Springer-Verlag, and pp.1- 16 and 1998 It is shown under an assumption 
called existence of random Oracle that the proposed method is strong to an accommodative selection cipher attack. 

[0007] However, an assumption called random Oracle can obtain no guarantee about the safety, when it is very unreal and random Oracle is 

replaced and used for the Hash Function considered that the usual collision is difficult. 

[0008] 

[Problem(s) to be Solved by the Invention] In a Cramer-Shoup code, the object of this invention, without leaking the information about the 
value in a verification type entirely When the justification of a cipher can be verified and it is shown that the value of a verification type is not 
just When the decode person of further plurality [ prove / for a third party ] cooperates and verifies that the value is created correctly by zero 
information certification, even if there is an inaccurate person in a decode person The value of a verification type is to offer the cipher 
verification approach which is not revealed to a decode person, either, its program documentation medium, and its equipment. 
[0009] 

[Means for Solving the Problem] The exponentiation of the value of the verification type at the time of the decode in a Cramer-Shoup code is 
carried out with the random number with which everyone of a decode person cannot know the value, and the justification of a cipher is verified 
by verifying whether the result of having carried out the exponentiation is set to 1 . Count of carrying out a exponentiation by these random 
numbers, by carrying out by cooperation of a total-session person by distributed count Also when not filling a verification type, the value of the 
verification type before carrying out a exponentiation is revealed to no decode person, and it is got blocked. When not just Since calculated 
value turns into a value which is not 1 and the exponentiation of the value is carried out by the random numbers, even if the value by which the 
exponentiation is carried out is shown and it is shown that calculated value is not 1, i.e., are not just, the value in front of the exponentiation is 
hidden, and there is no possibility that information may leak. 
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0010] Setting n persons' decode person to Pl-Pn, each decode person Pj (j= 1, 2, n) shall have the open value wj of a proper, (xl, x2, y 1, 
2, z) **Zq5 It distributes with the secrecy variational method of threshold t, and let the secrecy value (x2 j and yl j, y2 xlj, j, zj) 
orresponding to a value wj be the decode person's Pj private key. 

001 1] Moreover, let Xj=glxlj g2 x2j mod p, Yj=glylj g2y2j mod p, and Zj=glzjmod p (Xj, Yj, Zj) be the decode person's Pj public keys. It 
onsiders as the public key which uses lxlg 2 x2mod p of X=g, lylg2of Y=g y2mod p, and Z=glz mod p (X, Y, Z) for encryption. It shall 
onnect by the safe channel between each decode person equipment, and each decode person equipment shall use the broadcast mold channel it 
s guaranteed to be to receive a content with other all the members' same decode person equipment. 

0012] E= (ul, u2, v, e) is made into the cipher of the plaintext m enciphered by the Cramer-Shoup code approach. Decode person equipment 
>erforms a distributed random-number generation procedure in cooperation, and the decode person's Pj equipment acquires the secrecy value 
j. Here, rj is a secrecy value corresponding to the value wj at the time of distributing random-number r**Zq with the secrecy variational 
aethod of threshold t, and is the value which can recover r with a secrecy decode procedure from the secrecy value of t+1 piece of arbitration, 
/loreover, each decode person equipment cannot know the value of r, but r becomes the random integer of under or more Oq from the property 
»f a distributed random-number generation procedure. 

0013] The equipment of each decode person Pj who received E calculates c=H (ul, u2) and Vj=(ulxl j+cylju2 x2j+cy2jv-l) rjmod p. 
•'urthermore, Vj is distributed with a with a threshold [ of 2t ] verifiable secrecy variational method, and the secrecy value Vjk corresponding to 
i value wk (k= 1,2, --, n, k!=j) is transmitted through a channel safe for each decode person's Pk equipment. After receiving Vjk from all other 
lecode person equipments, the decode person's Pk equipment transmits Vk to all other decode person equipments through a broadcast mold 
:hannel. As for each decode person equipment, each Vk which received verifies using Vkj that it is a right value. 
0014] 2t+l piece is chosen among the right and checked Vk, and it investigates whether the value V restored with the secrecy restoration 
>rocedure to exponent part, i.e., xlk+cylk, and x2k+cy2k is equal to 1. If not equal, a secrecy restoration procedure will be similarly repeated 
n other combination, and if a restoration value is all equal to 1 about no 2t+l piece combination, decode will be refused and it will stop. 
0015] the private key restoration procedure as opposed to [ when each decode person equipment calculates according to the above-mentioned 
>rocedure ] the exponent part from the right Vk of the arbitration beyond 2t+l piece - V=(ulxl+cylu2 x2+cy2v-l) r mod p - V can be 
estored. here, in cooperation with [ V / V makes p law and ] 1 - if it becomes - Cramer-Shoup - in cooperation with [ the original value of 
/erification type ulxl+cy lu2 x2+cy2 in law ] v. On the other hand, when V becomes in cooperation with 1, it is in cooperation with [ an 
>riginal verification type ] v or a random number r is 0. However, the probabilities for the random number r generated in the distributed 
andom-number generation procedure to be set to 0 are 1/q, and since they are small enough, they can be disregarded. Therefore, V can 
;onsider in cooperation with [ an original verification type ] v, when in cooperation with 1. 

0016] Here, it is assumed that there are a maximum of t decode persons who commit injustice, these t persons - (1) - it is made for the value 
/ of the verification type to the unjust cipher E to be set to 1 - (2) - it can deviate from the above-mentioned procedure for two kinds of the 
jbject of** of making it the value V of the verification type to the just cipher E not set to 1 [or ] First, in order to make the object of (1) 
juccessful, it must be made for the value of V restored from a certain 2t+l piece Vk to be set to 1. However, before all decode person 
jquipments including inaccurate person equipment get to know the value of Vk which other decode person equipments take out Since the value 
;>f Vk of self-equipment cannot be changed after having to distribute the value of one's Vk by the verifiable secrecy distribution approach and 
getting to know the value of Vk of other decode person equipments Only when the anticipation about Vk of other decode person equipments 
;omes true, an inaccurate decode person can attain the object of (1). The probabilities for anticipation to come true are 1/q, and since they are 
small enough, they can be disregarded. Next, since an inaccurate person is at most t persons and, as for other 2t+l person equipments, the right 
value is transmitted even if inaccurate decode person equipment transmits what kind of unjust value Vk about the case of (2), the whole of at 
least one kind can take the set which consists of 2t+l piece Vk of a right value, and V= 1 is restored from such a set. 

'0017] Since one value of r which fills V=(iilxl+cylu2 x2+cy2v-l) r mod p to any values of ulxl+cy lu2 x2+cy2 about informational leakage 
when V is not 1 becomes settled Even if the value of (ulxl+cylu2 x2+cy2v-l) is randomized by r and shows this randomized value, the value 
before being randomized by r does not leak, that is, the information about ulxl+cylu2 x2+cy2 does not leak at all by the above-mentioned 
verification approach. 

0018] As mentioned above, without leaking the information about a private key entirely, if the decode person who commits injustice 
iccording to this invention is less than [ of all decode persons ] 1/3, by cooperation of two or more decode person, it is possible to calculate a 
verification type equivalent to the verification type of the original Cramer-Shoup code approach, and, therefore, two or more decode person's 
;ode decode equipment strong against an accommodative selection cipher attack can be constituted. 

0019] When n decode persons are in the above technique, to n data for verification (VI, --, Vn) received from all decode person equipments, 
jach decode person equipment takes out 2t+l piece data, and verifies whether a certain verification type is satisfied. When not satisfied, this 
/erification is performed to all the 2t+l piece combination that can be taken to n pieces. Therefore, in not satisfying a verification type, it has 
he fault that computational complexity increases exponentially, to several n of a decode person. 

0020] According to another viewpoint of this invention, in the code decode approach by two or more decode persons, the cipher verification 
ipproach and its program documentation medium of a code strong against the accommodative selection cipher attack which can be recovered 
iven if it can perform count efficiently also to many decode persons and 1/3 or more decode persons perform injustice are offered. That is, as a 
neans to reduce the computational complexity to the number of decode persons, by making each decode person equipment prove the 
ustification of that result by zero information certification, an inaccurate person is specified and, according to another viewpoint of this 
invention, a cipher is first verified only using just data. By doing so, it is possible to verify by the computational complexity proportional to 
;everal n of a decode person. However, since there is much traffic, when injustice hardly happens, effectiveness is bad [ the zero information 
unification used in this case ]. When a right cipher is received by setting the open value of each decode person's proper that the count result of 
;ach decode person equipment serves as a codeword of a BCH code, and addressee equipment verifying that a count result is a codeword, and 
performing zero information certification only when it is not a codeword, it becomes possible to perform efficient count, with traffic stopped. 
[0021] If based on this approach, the number of the inaccurate persons who can approve is to t persons who fill 3t+l>n, and when a safe system 
with more high tolerance is desired, it is unsuitable. Moreover, although it also becomes bored when an inaccurate person is less than [ 1/3 or 
more ] 1/2, and other decode person equipments compute and exhibit the distributed private key which the inaccurate decode person has in 
cooperation with the case where an inaccurate person is specified as a means, a technical problem is solved by enabling it to calculate a right 
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esult instead of the inaccurate decode person. 

0022] The concrete means is as follows, n persons' decode person is set to Pl-Pn, and the open value wj of a proper is assigned to each decode 
•erson Pj. Threshold t which fills 3 t<n is defined, (xl, x2, y 1, y2, z) **Zq5 It distributes with the secrecy variational method of threshold t, 
nd let the secrecy value (x2 j and yl j, y2 xlj, j, zj) corresponding to a value wj be the decode persons Pj private key. 
0023] Moreover, let Xj=glxlj g2 x2j mod p, Yj=glylj g2y2j mod p, and Zj=glzjmod p (Xj, Yj, Zj) be the decode person's Pj public keys. It 
onsiders as the public key which uses Ixlg 2 x2mod p of X=g, lylg2of Y=g y2mod p, and Z=glz mod p (X, Y, Z) for encryption. It shall 
onnect by the safe channel between each decode person equipment, and each decode person equipment shall use the broadcast mold channel it 
s guaranteed to be to receive a content with other all the members' same decode person equipment. 

0024] E= (ul, u2, v, e) is made into the cipher of the plaintext m enciphered by the Cramer-Shoup code approach. Decode person equipment 
•erforms a distributed random-number generation procedure in cooperation, and the decode person's Pj equipment acquires the secrecy value 
j. Here, rj is a secrecy value corresponding to the value wj at the time of distributing random-number r**Zq with the secrecy variational 
nethod of threshold t, and is the value which can recover r with a secrecy decode procedure from the secrecy value of t+1 piece of arbitration. 
Moreover, each decode person cannot know the value of r, but r becomes the random integer of under or more Oq from the property of a 
listributed random-number generation procedure. 

0025] Next, all decode person equipments cooperate, and perform a distributed multiplication means, and each decode person's Pj equipment 
)btains secrecy value xlj', x2j\ y lj', and y2j'. Secrecy value xlj' is a value which distributes the product of a random number r and a private 
cey xl with the secrecy variational method of threshold t, and is acquired, and can decode xlj' to r-xl (mod q) which t+1 person's decode 
)erson of arbitration has here, r and x2 (mod q), r-yl (mod q), and r-y2 (mod q) can be similarly restored from the value of t+1 piece of 
irbitration about secrecy value x2j', ylj', and y2j', respectively. 

0026] Each decode person Pj equipment which received E calculates c=H (ul, u2) and Vj=ulxlj'+cylj'u2x2j'+cy2 j'v-rj mod p, and transmits 
vj to all other decode person equipments through a broadcast mold channel. Next, each decode person equipment checks that the exponent part 
if (VI, --, Vn) is the codeword of a BCH code. When it becomes clear not the codeword of a BCH code but that it is not right, the exponent 
)art of (VI, -, Vn) each decode person's Pj equipment It proves to other decode persons by zero information certification, without leaking the 
nformation concerning [ that Vj is as a result oil of ulxlj'+cy Ij'u2x2j'+cy2 j'v-rj mod p / count, and ] xlj', x2j', ylj', y2j', and rj. 
0027] It considers that the decode person Pj who failed in certification is an inaccurate person, and other decode person equipments recover 
;ecrecy value xlj* of the deviation person who is the inaccurate person, x2j\ ylj', y2j\ and rj using secrecy value recovery procedure, and he 
exhibits the value of the right Vj. The rights (V 1 , --, Vn) including the value of the exhibited right Vj are obtained. After the exponent part of 
VI, -, Vn) checks the right thing and that it is a codeword, the secrecy restoration procedure to exponent part restores a value V. Each decode 
person equipment investigates whether V is equal to 1, and if not equal, decode will be refused and it will stop. <BR> [0028] If equal, each 
decode person's Pj equipment will calculate Dj=ulzjmod p, and will transmit it to all other decode person equipments according to a broadcast 
nold channel. Each decode person equipment which received Dj verifies the codeword same with having carried out to (VI, -, Vn) to (Dl, «, 
3n), when injustice is detected, performs zero information certification similarly, specifies an inaccurate person, and it recovers the value of the 
-ight Dj using secrecy value recovery procedure. 

•0029] From the right (Dl, --, Dn), with the secrecy restoration procedure to exponent part, each decode person equipment restores D=ulz mod 
p, calculates m=e/Dmod p, and decodes Message m. the private key restoration procedure as opposed to [ when each decode person equipment 
Calculates according to the above-mentioned procedure ] the exponent part from the right Vk of the arbitration beyond 2t+l piece - V= 
;ulxl+cylu2 x2+cy2v-l) r mod p - V can be restored, here, in cooperation with [ V / V makes p law and ] 1 - if it becomes - Cramer-Shoup 

in cooperation with [ the original value of verification type ulxl+cylu2 x2+cy2 in law ] v. On the other hand, when V becomes in 
cooperation with I, it is in cooperation with [ an original verification type ] v or a random number r is 0. However, the probabilities for the 
random number r generated in the distributed random-number generation procedure to be set to 0 are 1/q, and since they are small enough, they 
can be disregarded. Therefore, V can consider in cooperation with [ an original verification type ] v, when in cooperation with 1. 
[0030] Here, it is assumed that there are a maximum of t decode persons who commit injustice, these t persons ~ (1) - it is made for the value 
V of the verification type to the unjust cipher E to be set to 1 - (2) -- it can deviate from the above-mentioned procedure for two kinds of the 
object of** of making it the value V of the verification type to the just cipher E not set to 1 [ or ] However, the output of all decode person 
equipments can detect the existence, if an unjust value is less than [ of the whole ] 1/3 when an unjust value exists since it is verified by 
:odeword inspection of a BCH code. In such a case, since each decode person proves the Tightness of an output value by zero information 
certification, the inaccurate person who outputted the unjust value fails in certification, and is eliminated. 

003 1 ] About informational leakage, when V is not 1, since one value of r which fills V=(iUxl+cylu2 x 2+cy2v-l) r mod p to any values of 
ulxl+cy lu2 x2+cy2 becomes settled, by the above-mentioned verification approach, the information about ulxl+cylu2 x2+cy2 does not leak 
it all. As mentioned above, without leaking the information about a private key entirely, if the decode person who commits injustice according 
:o this invention is less than [ of all decode persons ] 1/3, by cooperation of two or more decode person, it is possible to calculate a verification 
•ype equivalent to the verification type of the original Cramer-Shoup code approach, and, therefore, two or more decode person's code decode 
approach strong against an accommodative selection cipher attack can be constituted. 

0032] By computing and exhibiting the distributed private key which codeword inspection of a BCH code is not conducted, but zero 
information certification is always performed in the above-mentioned means on the other hand, an inaccurate person is specified, other decode 
persons cooperate, and the inaccurate decode person has Although it also becomes bored, since a right result is calculable instead of the 
inaccurate decode person, it can respond to less than 1/2 inaccurate person (in order to determine by majority that zero information certification 
is right, one half of decode persons at least must be right). 
[0033] 

[Embodiment of the Invention] The cipher verification approach which is the first example of this invention is explained to one or less 
example. The cipher created with cipher implementer equipment 1 1 as shown in drawing 1 is decoded with decode person equipment 12. If it is 
not a right cipher, in order to avoid carrying out decode refusal freely with decode person equipment 12, it verifies whether decode refusal is 
appropriate with verification person equipment 13. 

[0034] There shall be the big prime factors p and q now, and q shall divide p-1. The origin gl and g2 of Gq is chosen at random. It considers as 
the public key which uses lxlg 2 x2mod p of X=g, lylg2of Y=g y2mod p, and Z=glzmod p for an encryption procedure. Here, it is **(xl, 
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;2, yl, y2, z) Zq5. It carries out. The public key shall be exhibited with p, q, gl, and g2 as a open parameter. Moreover, the private key shall be 
.tored on the memory of decode person equipment. 

0035] As shown in drawing 2 , after receiving cipher E- (ul, u2, v, e) of the plaintext m enciphered by the Cramer-Shoup code approach 
vhich used X, Y, and Z as the public key (SI), Decode person equipment generates a random number r (S2), and calculates c=H (ul, u2) and 
7=(ulxl+cy lu2 x2+cy2v-l) r mod p (S3). If V becomes one, this cipher will be considered as acceptance and (S4) and decode count will be 
)erformed (S5). 

0036] If V is not 1, it will consider as a rejection. In order to prove that it is a rejection to a third party, BC (r) is exhibited using bit 
jommitment function BC(). There are some which are depended on Pedersen in this bit commitment function. That is, a random number s is 
generated and it calculates with BC(r, s):=gr hs mod p. dispersion of h to which g and h use g as a bottom here - it is under Gq whose 
ogarithm is strange. 

0037] r which constitutes BC (r, s), xl which constitutes public keys X and Y, x2, and yl and y2 ~ using - r mod p (ulxl+cylu2 x2+cy2v-l) 
it proves to a third party by zero information certification, without leaking the secrecy concerning [ that the result of having calculated is V, 
ind ] r, xl, x2, and yl and y2 (S6). [ then, ] The following procedures perform this zero information certification. 

0038] dispersion of h which uses g as a bottom for g and h below - it considers as the origin of Gq whose logarithm is strange, decode person 
equipment - random numbers a, al, a2, bl, and b2 - Zq - choosing -- R=gr ha mod pRXl=Rxlhal modpRX2=Rx2ha2 modpRYl=Rylhbl 
nodpRY2=Ry2hb2 modp - R, RX1, RX2, RY1, and RY2 are sent to verification person equipment. 

[0039] Furthermore, decode person equipment chooses a random number wO from Zq as random, and is K=g and L=gw0. mod p is sent to 
verification person equipment. Verification person equipment calculates B=Ke0Lel modp by choosing eO and el from Zq as random, and 
sends B to decode person equipment. 

[0040] Decode person equipment chooses random numbers wl-wl8 from Zq as random. Tl =gl wlg2 w2 mod pT2 =gl w3g2 w4 mod pT3 
=gw5gw6 mod pT4 = Rwlhw7 mod pT5 =Rw2hw8 mod pT6 =Rw3hw9 mod pT7 =Rw4hwlO mod pT8 = Calculate gwl 1 hwl2 mod pT9 
=gwl3 hwl4 mod pT10=gwl5 hwl6 mod pTl l=gwl7 hwl8 mod pT12=ulwl 1+cw15u2w13+cw17 v-w5 mod p. It sends to verification 
person equipment. 

[0041] Verification person equipment sends eO and el to decode person equipment. 

Decode person equipment checks that B=Ke0Lel modp is realized, and when not realized, it stops certification. When this is realized, Decode 
person equipment is zl=wl+e0 and xl modqz2=w2+e0 and x2 modqz3=w3+e0 and yl modqz4=w4+e0 and y2 modqz5=w5+eO and r. 
modqz6=w6+e0anda modqz7=w7+e0 and al modqz8=w8+e0 and a2 modqz9=w9+e0 and bl modqzl 0=wl0+e0 and b2 modqzl l=wl 1+eO and 
r-xl modqzl 2=wl2+e0 (a-xl+al) modqzl 3=wl3+e0, r, and x2 modqzl4=wt4+e0 (a and x2+a2) modqzl 5=wl5+e0 and r-yl 
modqzl 6=wl6+e0 (a-y 1+bl) modqzl 7=wl7+e0 and r-y2 modqzl 8=wl8+e0 (a-y2+b2) modq It calculates and zl-zl8, and wO are sent to 
verification person equipment. 

[0042] Verification person equipment L=gw0 modpgl zlg2 z2=Tl XeOmod pgl z3g2 z4=T2 YeOmod pgz5hz6=T3 ReO modpRzlhz7=T-four 
e(RXl)0mod pRz2hz8=T5 e(RX2)0mod pRz3hz9=T6 e(RYl)0mod pRz4hzlO =T7 e(RY2)0mod pgzl 1 hzl2 =T8 e(RXl)0mod pgzl3 hzl4 
=T9 e(RX2)0mod It verifies that pgzlS hzl6 =T10(RY1) eOmod pgzl7 hzl8=Tl 1(RY2) eOmod plutoniumlzl 1+cz15u2z13+cz17 v-z5 
=T12Ve0mod p is realized. 

[0043] The principle of the upper certification is Schnorr. It is the same as that of a signature, and since a verification type is realized only 
when decode person equipment creates correctly V, X, Y, R, RX1, RX2, RY1, and RY2, when at least one is not realized, verification is 
considered as failure. 

The second example of this invention is explained to two or less example. As shown in drawing 3 R> 3, they are code implementer equipment 
1 1 and 121 -12n of each equipment of the decode persons Pl-Pn. It connects with the broadcast mold channel 14, and is 121- 12n of decode 
person equipment. It connects by the channel 15 safe for mutual. 

[0044] There shall be the big prime factors p and q now, and q shall divide p- 1 . The origin gl and g2 of Gq is chosen at random. First, n 
persons' decode person is set to Pl-Pn, and the open value wj of a proper is assigned to each decode person Pj (j = K 2, --, n). Threshold t which 
fills 3 t<n is defined. All decode person equipments perform the distributed random-number generation procedure of threshold 1 3 times, and 
the decode person's Pj equipment acquires a secrecy value (x2 j and yl j, y2 xlj, j, zj), and makes this the decode person's Pj private key. 
Moreover, let Xj=glxlj g2 x2j mod p, Yj=glylj g2y2j mod p, and Zj=glzjmod p (Xj, Yj, Zj) be the decode person's Pj public keys. 
Furthermore, it considers as the public key which uses lxlg 2 x2mod p of X=g, lylg2of Y=g y2mod p, and Z=glz mod p for an encryption 
procedure. Here, it is **(xl, x2, yl, y2, z) Zq5. It is the random number restored by the secrecy restoration procedure from t+1 set of secrecy 
values (x2 j and yl j, y2 xlj, j, zj) of arbitration. There is an approach by Pedersen in the distributed random-number generation procedure 
which generates such a random number. Below, the distributed random-number generation procedure is shown. 

[0045] Between each decode person equipment, as shown in drawing 3 , there shall be a safe channel 15 and each decode person equipment 
shall use the broadcast mold channel 14 it is guaranteed to be to receive a content with other all the members' same decode person equipment. 
S-l) the equipment of Pj - two polynomials on Zq - f(X) =a0 j+aljX+--+atjXt And gj (X) =b0 j+bljX+~+btjXt random ~ choosing - every - 
fj (wk) and gj (wk) are transmitted to the equipment except for 1,2, -, n, and k=j k= - of Pk through a safe channel. 

[0046] S-2) The equipment of Pj calculates Cij=glaij g2bij mod p to i= 1, --, t, and transmits it to all other decode person equipments through a 
broadcast mold channel. 

S-3) The equipment of Pk which received Cij from all other decode person equipments is glfj(wk) g2gj(wk) =C0jwk0 and Cljwkl as wki=wki 
mod q. - It verifies that Ctjwkt mod p is realized. 

[0047] S-4) The equipment of Pk is xl k=fl(wk)+f2(wk)+. - They are +fn(wk) mod q and x2k=gl(wk)+g2(wk)+. - Distributed random- 
number value xl k and x2k are obtained as +gn(wk) mod q. 

S-5) X=C00, C01 - It is referred to as COn modp. Private key ylj, y2j, and zj to which public keys Y and Z and each decode person correspond 
similarly are also created similarly. 

[0048] All decode person equipments generate distributed random-number r**Zq with a distributed random-number generation procedure, and 
each decode person's Pj equipment holds the secrecy value rj ( drawing 5 , SI). After receiving cipher E= (ul, u2, v, e) of the plaintext m 
enciphered by the Cramer-Shoup code approach which used X, Y, and Z as the public key (S2), each decode person's Pj equipment calculates 
c=H (ul, u2) and Vj=(ulxl j+cylju2 x2j+cy2jv-l) rjmod p (S3). 
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0049] Then, the equipment of Pj distributes Vj with a with a threshold [ of 2t ] verifiable secrecy variational method, and the secrecy value 
vfjk corresponding to a value wk is transmitted through a channel safe for each decode person's Pk equipment (S4). The approach of Pedersen 
:an be used for the verifiable secrecy variational method used here. The following is the procedure. 

M) g and h which there are the big prime factors P and Q, and Q divides P-l, and are made into Q>p are GQ whose value of log g h is strange, 
it considers as origin. 

0050] P-2) the equipment of Pj - ZQ Two upper polynomials fj (X) =Vj+aljX+--+atjXt And gj (X) =b0 j+bljX+--+btjXt (however, it 
;onsiders as aO j=Vj) - the part of Vj - removing - random - choosing every - fj (wk) and gj (wk), i.e., Vjk, are transmitted to the 
jquipment of Pk through a safe channel. 

?-3) The equipment of Pj calculates Cij=gaij hbij mod p to i= 1, --, t, and transmits it to all other decode person equipments through a broadcast 
nold channel. 

0051] P-4) The equipment of Pk which received Cij is gfj(wk) hgj(wk) =C0jwk0 and Cljwkl as wki=wki mod q. It verifies that Ctjwkt mod 
) is realized, that is, Vjk is verified (S5). 

^-5) When not realized, the equipment of Pk transmits a "rejection" to all other decode person equipments through a broadcast mold channel. 
.0052] When advice of P-6 "a rejection" is t+1 or more pieces, it is considered that Pj is an inaccurate person, it is eliminated (S6), and all other 
iecode person equipments discard all the information that the equipment of Pj transmitted before. The step of P-4, and 5 and 6 is the procedure 
Df performing verification of the distributed secrecy value Vjk, and an inaccurate person's abatement, and after all decode person equipments 
finish transmitting data, you may carry out by releasing a rejection list collectively. 

[0053] After all decode person equipments distribute Vj with the above-mentioned procedure, each decode person's Pj equipment transmits Vj 
and bOj to all other decode person equipments through a broadcast mold channel (S7). The equipment of each decode person Pj who received 
this checks that CO j=gl VjhbOj mod p is realized, and verifies Vj (S8). When not realized, like the above, a "rejection" is notified to all other 
decode person equipments, and an inaccurate person is eliminated (S9). 

[0054] 2t+l piece is chosen as arbitration from the right and all checked Vk(s) (S10), and it investigates whether the value V restored with the 
secrecy restoration procedure to exponent part is equal to 1 (SI 1). The secrecy restoration procedure to exponent part is reference. Cramer, 
st.al: "A seure and Optimally Efficient Multi-Authority Election Scheme", Advances in Cryptology-Eurocrypt'97, LNCS 1233 Springer- 
Verlag, pp. 103-1 18, and 1997 It is detailed. The restoration procedure to the exponent part at the time of setting to alpha the set of the index k 
of 2t+ 1' piece Vk chosen as below is shown. The secrecy value of exponent part presupposes that it is the secrecy value acquired with the 
verifiable secrecy variational method of Pedersen. 
[0055] R-l) It is a Lagrange interpolation multiplier first [0056] 
[Equation 1] 

It calculates by carrying out. 
R-2) Next, [0057] 
[Equation 2] 

V = n jea V/j,« mod p 

It calculates. If V is not 1, a secrecy restoration procedure will be similarly repeated in other 2t+l piece combination (SI 2). If a restoration 
value is all equal to 1 about no combination, a rejection will be notified and it will stop. 

[0058] If there is combination set to 1 at least one, this cipher will be considered as acceptance. Each decode person's Pj equipment calculates 
Dj=ulzjmod p, as shown in drawing 4 R> 4 (SI), and it transmits it to all other decode person equipments according to a broadcast mold 
channel (S2). the dispersion to which each decode person equipment which received Dj uses ul of Dl, ~ , Dn as a bottom - by checking that a 
logarithm is the codeword of a BCH code, if it is (S4) and a codeword, the secrecy restoration procedure to the above-mentioned exponent part 
will restore D=ulz mod p (S5), m=e/D modp will be calculated, and Message m will be decoded (S6). If it is not a codeword in step S4, what is 
made to prove the Tightness of count and cannot be proved by zero information certification will be discarded as inaccurate Di (S7). 
The third example of this invention is explained to three or less example. 

[0059] A safe channel shall be between each decode person equipment, and each decode person equipment shall use the broadcast mold 
channel it is guaranteed to be to receive a content with other all the members' same decode person equipment. There shall be the big prime 
factors p and q and q shall divide p-l. The origin gl and g2 of Gq is chosen at random. First, n persons' decode person is set to Pl-Pn, and the 
open value wj of a proper is assigned to each decode person Pj. Threshold t which fills 3 t<n is defined. 

[0060] First, the secrecy distribution approach by Pedersen is shown. First, g and h It considers as the origin of Gq whose logg h is strange. The 
equipment of the portioner P who distributes the secrecy values aO and bO is t-th two polynomials f(X) =a0+alX+ on Zq. - It is +atXt and g(X) 
=b0+blX+. - It is +btXt. Except for aO, it chooses at random, and f (wj) and g (wj) are sent to each addressees Pj equipment through a safe 
channel. 

[0061] Next, the commitment value Ei of each multiplier is calculated like Ei=gaihbimod p to i= 0, -, t, and it opens to the public through a 
broadcast mold channel. Each equipment of Pj which received these is gf (wj) as uji=wji mod q. hg (wj) =E0uj0 Elujl - It verifies that Etujt 
mod p is realized. This EOujO Elujl - The value of Etujt mod p is called the commitment to the distributed secrecy value of Pj. If the 
commitment value of each multiplier is exhibited, anyone can also calculate the commitment to which distributed secrecy value of Pj. 
[0062] Below, it is Ped (aO, bO) about this secrecy distribution approach [g, h]. -> (aOj, bOj) (E0, --, Et) 

** - it writes like. (aO, bO) are confidential information distributed, each equipment of Pj is the distributed secrecy value received through a 
safe channel, and its (aOj, bOj) are equal to f (wj) and g (wj) respectively. (E0, --, Et) are commitment values of each multiplier exhibited 
through a broadcast mold channel, [g, h] express the bottom used in case a commitment is created. As long as there is especially no notice 
about the above-mentioned notation, the multiplier of the polynomial except a constant term shall be chosen at random. 
[0063] Thus, from the distributed secrecy value, when polynomial interpolation recovers the original secrecy, the holder of each distributed 
secrecy value exhibits the value first. It is gaOj hbOj =E0uj0 Elujl to the exhibited value (aOj, bOj). - It checks that Etujt modp is realized. The 
set which that index j makes is set to alpha about t+1 (aOj, bOj) of arbitration of which this formula consists. It is a Lagrange interpolation 
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nultiplier [0064] 
Equation 3] 

.\,a =n kea . k *|l/(H0 mod q 

t is [0065] when it carries out. 
Equation 4] 

E jea A i>a aOj rood q = a 0 

\ next door and aO are recoverable. bO is recoverable similarly. The above-mentioned secrecy distribution approach can completely be 
similarly performed, even if it uses only one bottom. In such a case, it is written as Ped(aO) [g] -> (aOj) (E0, --, Et). 

0066] The random number distributed in cooperation by two or more persons is generable using this secrecy distribution approach. First, the 
equipment of Pi chooses random numbers ai and bi from Zq, and is this Ped(ai, bi) [g, h] -> (aij, bij) (EiO, --, Eit) 

'* -- it distributes like. All the members of Pl-Pn perform this. Then, the equipment of Pj receives (alj, blj), --, (anj, bnj) from a safe channel, 
ind receives (E10, -, Elt), --, (EnO, --, Ent) from a broadcast mold channel. At this time, it is the distributed secrecy value (xlj, x2j) of Pj 
<lj=alj+ - +anj modq, x2j=blj+ - It is referred to as +bnj modq. The random-number value xl recovered from this distributed secrecy value 
•s [0067]. 
"Equation 5] 

x 1 = 2 Je <rA kf a x 1 j = a 1 +-+an mod q 

Tlie value is known by nobody until it comes out, and it is and recovery is performed. Moreover, the commitment value EXk of the k-th 
multiplier of the polynomial which makes this secrecy random -number value a constant serves as EXk=El k-E2 k-Enkmod p. Especially, it is 
:autious of it being EX0=gxlhx2mod p. This approach is called distributed random-number generation, and it is Rand([a], [b]) [g, h] -> (aj, bj) 
CEO, --, Et). 

It writes, ([a] [b]) is a random-number value generated and means that the value of [ ] is strange to every calculator, [g, h] - and [ of 
semantics ] (aj, bj) (E0, --, Et) is the same as that of the notation of the above-mentioned secrecy distribution. 

r0068] All decode person equipments are the distributed random-number generation procedure of threshold t Rand([xl], [x2]) [gl, g2] -> (xlj, 
*2j) (EX0, --, EXt) 

Rand([y 1], [y2]) [gl, g2] -> (y lj, y2j) (EY0, «, EYt) 
Rand ([zl]) [gl] -> (zlj) (EZ0, -, EZt) 

** -- performing 3 times like, the decode person Pj acquires a secrecy value (x2 j and y 1 j, y2 xlj, j, zj), and makes this the decode person's Pj 
orivate key. Moreover, let Xj=glxlj g2 x2jmod p, Yj=glylj g2y2j mod p, and Zj=glzjmod p (Xj, Yj, Zj) be the decode person's Pj public keys. 
Furthermore, it considers as the public key which uses X=EX0=glxlg2 x2modp, Y=EY0=glylg2y2mod p, and Z=EZ0=glz mod p for an 
encryption procedure. It is **(xl, x2, y 1, y2, z) Zq5 here. It is the random number restored by the secrecy restoration procedure from t+1 set of 
secrecy values (x2 j and yl j, y2 xlj, j, zj) of arbitration. 

[0069] All decode person equipments perform distributed random-number generation procedure Rand ([r], [s]) [gl, g2] -> (rj, sj) (R0, --, Rt), 
and generate distributed random-number r**Zq, and each decode person's Pj equipment holds the secrecy values rj and sj ( drawing 6 , SI). R 
is set to R=R0=glr g2second mod p here. 

[0070] Next, all decode person equipments obtain secrecy value xlj', x2j\ ylj', and y2j' with a distributed multiplication means (S2). Secrecy 
value xlj' is a value which distributes the product of a random number r and a private key xl with the secrecy variational method of threshold t, 
and is acquired, and can decode rxl (mod q) here from xlj' which t+1 person's decode person of arbitration has. rx2 (mod q), ryl (mod q), and 
ry2 (mod q) can be similarly restored from the value of t+1 piece of arbitration about secrecy value x2j', ylj', and y2j', respectively. About such 
a distributed multiplication means, it performs as follows. 

[0071] The decode person's Pj equipment is Ped(xlj, x2j) [gl, g2] -> (xlji, x2 ji) (EXjO, --, EXjt). 

It performs. Each equipment of Pj calculates Rj=glrjg2sjmod p. This value Rj is Rj=R0uj0 Rlujl as uji=wji mod q. - Since you may calculate 
like Rtujt mod p, it is cautious of the ability of anyone to calculate. 

[0072] Next, the polynomial used for distributing xlj and x2j by Ped (xlj, x2j) is used for the equipment of Pj as it is, and it is Ped(xlj, slj) 

[Rj, g2] -> (xlji, slji) (ERX ljO, -, ERXljt). 

Ped(x2j, s2j) [Rj, g2] -> (xlji, s2ji) (ERX 2j0, --, ERX2jt) 

It performs. However, slj and s2j also choose at random the polynomial which chooses at random and makes these a constant term. 
[0073] To the last, the equipment of Pj is Ped(xl j-rj, xlj-sj+slj) [gl, g2] -> (rxlji, rslji) (ERX ljO, -, ERXljt). 
Ped(x2j-rj, x2j-sj+s2j) [gl, g2] -> (rx2ji, rs2ji) (ERX 2j0, ~, ERX2jt) 
It carries out. 

[0074] Each equipment of Pl-Pn performs the above-mentioned procedure. The equipment of Pi is the set (rxl li, -, rxlni) of a distributed 
secrecy value which received to a Lagrange interpolation multiplier [0075] 
[Equation 6] 

ij.* =n k£a , k *jj/(j-k) £i/c> 

xl j' = Zj € a»j,ff rxl j i mod q 

It calculates. The set of the index of right xlj' is set to beta, and it is [0076] at the time of |beta|>=t+l . 
[Equation 7] 
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= Si €fl Au tSje,*,.* rx 1 i j J 
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iince a next door and multiplication result r-xl are recoverable, it turns out that xlj' is the t-th distributed secrecy value of r-xl. x2j' as well as 
:lj' is calculated. Furthermore, a distributed multiplication procedure is similarly performed and calculated about secrecy value ylj' and y2j\ 
0077] After receiving cipher E= (ul, u2, v, e) to the plaintext m enciphered by the Cramer-Shoup code approach (S3), each decode person's Pj 
:quipment c=H (ul, u2) and Vj=ulxlj'+cylj , u2x2j , +cy2 j'v-rj mod p are calculated, and Vj is transmitted to all other decode person equipments 
hrough (S4) and a broadcast mold channel (S5). Next, as for each decode person equipment, the exponent part of (VI, --, Vn) checks that it is 
he codeword of a BCH code (S6). A codeword verification procedure reference F.J.Mac Williams : "The Thory of Error Correcting Codes", 
>Jorth-Holland Mathematical Library, and pp.201-202 - or M. Ben-Or and S.GoIdwasser, A. Wigerson:" Completeness Theorems for Non- 
:ryptographic Fault-Tolerant Distributed Computation" and 20 th ACM Symposium on Theory It is detailed to of Computing, pp. 1-10, and 
• 988. A codeword verification procedure is shown below. 

w!=l is used as the n-th root of 1 in mod q, and it is referred to as xiij=wj (i-1) modq. 
It is [0078] about j= 1,-, a!12tj. 
Equation 8] 

/ 1 f U V 2 f 2j - "'V n Fnj mod p = 1 

X checks becoming. When it becomes clear with the above-mentioned procedure that the exponent part of (VI, --, Vn) is not right, each decode 

person's Pj equipment It proves to other decode person equipments by zero information certification, without leaking the information 

;oncerning [ that Vj is as a result of / of ulxlj'+cy Ij'u2x2j'+cy2 j'v-rj mod p / count, and ] xlj', x2j\ ylj', y2j\ and rj (S7). 

0079] This zero information certification is performed as follows. However, by explanation of the procedure to following Pj, since Subscript j 

s attached to all variables, this is excluded and explained. First, distributed secrecy value xV which Pj holds, x2', yl\ y2', and r are received, a, 

il, a2, and bl as a certain random number R=glr g2second mod pRXl=ERX10=Rxlg2almod pRX2=ERX20=Rx2g2a2mod 

)RY 1 =ERY 1 0=Ry 1 g2b 1 mod pRY2=ERY20=Ry2g2b2mod The values R, RX1, RX2, RY1, and RY2 of a commitment p Becoming can be 

icquired from the commitment value of the multiplier exhibited with the distributed random-number generation means and the distributed 

nultiplication means to anyone. 

W80] Pj chooses a random number wO from Zq as random, and sends K=g and L=gw0mod p to other decode person equipments. Other 
iecode person equipments cooperate and are Rand([e0], [el]) [K, L] -> (eOi, eli) (EeO, --, Eet). 
it performs and Ee0=Ke0Lelmod p is sent to the equipment of Pj. 

10081] The equipment of Pj chooses random numbers wl-w 18 from Zq as random. Tl =glwlg2 w2 modpT2 = gl w3g2 w4 modpT3 
=gw5gw6 modpT4 =Rwlhw7 modpTS = Rw2hw8 modpT6 =Rw3hw9 modpT7 =Rw4hwl0modpT8 = Calculate gwl 1 hwl2 mod pT9 =gwl3 
hwl4 mod pT10=gwl5 hwl6 mod pTl l=gw!7 hw!8 mod pT12=ulwl Hcwl5u2wl3+cwl7 v-w5 modp. It sends to other decode person 
equipments. 

[0082] Other decode person equipments exhibit a distributed secrecy value, recover eO and el, and send them to the equipment of Pj. The 
equipment of Pj checks that Ee0=Ke0Lel modp is realized, and when not realized, it stops certification. When this is realized, The equipment 
of Pj Sl=wl+e0 and xlmod qS2=w2+e0andx2mod qS3=w3+e0andylmod qS4=w4+e0andy2mod qS5=w5+e0andr mod qS6=w6+e0anda mod 
qS7=w7+eO and almod qS8=w8+e0 and a2mod qS9=w9+eO and blmod qS10=wl0+e0 and b2mod qSl l=wl 1+eO and r-xl mod qS12=wl2+eO 
(a-xl+al) mod qS13=wl3+eO, r, and x2mod qS14=wl4+eO(a and x2+a2) mod qS15=wl5+e0 and r-ylmod qS16=wl6+eO(a-yl+bl) mod 
qS 1 7=w 1 7+eO and r-y2mod qS 1 8=w 1 8+e0(a-y2+b2) mod q is calculated, and S 1 -S 1 8, and wO are sent to other decode person equipments. 
Dther decode person equipments L=gw0 mod One slg of pg(s) 2 One s3g of s2=Tl XeO modpg(s) 2 s4=T2 YeO modpgs5hs6=T3 ReO 
:nodpRslhs7=T-four e(RXl) 0 modpRs2hs8=T5 e(RX2)0mod pRs3hs9=T6 e(RYl)0mod pRs4hslO =T7 e(RY2)0mod pgsl 1 hsl2 =T8 e(RXl) 
Omod pgsl 3 hsl4 =T9 e(RX2)0mod It verifies that pgsl 5 hsl6 =T10(RY1) e0modpgsl7 hsl8 =T1 1(RY2) eOmod 
Plutonium IS 1 l+cS15u2S13+cS 17 v-S5=T12Ve0mod p is realized. 

0083] Since a top type is realized only when the equipment of Pj creates correctly V, X, Y, R, RX1, RX2, RY1, and RY2, when not realized at 
;east one, it considers verification as failure (explanation which omitted the subscript "j" above). It considers that the equipment of the decode 
person Pj who failed in certification is a deviation person, and other decode person equipments recover a deviation person's secrecy value xlj 1 , 
<2j\ ylj', y2j', and rj using secrecy value recovery procedure, and it exhibits the value of the right Vj. About secrecy value recovery procedure 
:iere, it is reference, for example. A.Herzberg, et.al : "Proactive secret sharing or:How to cope with perpetual leakage", Advances in 
Cryptology-CRYPTO'95, LNCS 963, pp.339-352, Springer- Verlag, and 1995 It is detailed. The rights (VI, --, Vn) including the value of the 
exhibited right Vj are obtained. 

•0084] After the exponent part of (VI, --, Vn) checks the right thing, the secrecy restoration procedure to exponent part restores a value V. 
kach decode person equipment investigates whether V is equal to I, and if not equal, decode will be refused and it will stop (S8). If equal, each 
decode person's Pj equipment will calculate Dpulzjmodp like the case of drawing 4 . Transmit to all other decode person equipments 
according to a broadcast mold channel, and each decode person equipment which received Dj verifies the codeword same with having carried 
out by receiving to (Dl, --, Dn) (VI, Vn). When injustice is detected, zero information certification is performed similarly, a deviation 
person is specified, and the value of the right Dj is recovered using secrecy value recovery procedure. 

[0085] Zero information certification here is performed as follows. The equipment of Pj chooses a random number dO from Zq as random, and 
>ends W=gl and Q=gl dO modp to other decode person equipments. Other decode person equipments cooperate and are Rand([c2], [c3]) [W, 
Q]->(c2i, c3i)(Ec0,--, Ect). 

It performs and Ec0=Wc2QC3 modp is sent to the equipment of Pj. 

[0086] The equipment of Pj chooses random numbers dl and d2 from Zq as random, calculates T12=gl dl modpT13=uldl modp, and sends it 
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o other decode person equipments. Other decode person equipments exhibit a distributed secrecy value, recover c2 and c3, and send them to 
he equipment of Pj. 

0087] The equipment of Pj checks that Ec0=Wc2QC3 modp is realized, and when not realized, it stops certification. When this is realized, the 
quipment of Pj calculates S0=dl+c2 and zlmod q, and sends SO and dO to other decode person equipments. Other decode person equipments 
'erify that Q=gl dO modpgl sO=T12Xjc2 modpulsO=T13Djc2 modp is realized. 

0088] Since a top type is realized only when the equipment of Pj creates Dj correctly, when not realized at least one, it considers verification 
is failure. From the right (Dl, --, Dn), with the secrecy restoration procedure to exponent part, each decode person equipment restores D=ulz 
nod p, calculates m=e/Dmod p, and decodes Message m. 

0089] The example of a functional configuration of the decode person equipment in an example 2 is shown in drawing 7 . The private key of 
:lj, x2j, y Ij, y2j, and zj is memorized by memory 21, the open values wj, gl, g2, p, and q etc. are memorized, and since the information further 
ransmitted to the exterior and the information received from the outside are stored temporarily, memory 21 is used. The distributed random- 
mmber generation section 22 consists of the secrecy distribution machine 23, a distributed secrecy verification machine 24, and a distributed 
ecrecy adder 25; and private key xlj, x2j, ylj, y2j, and zj are created by these, and the variance rj of a random number r is also generated. The 
lash Function operation of c=H (ul, u2) is performed about the receiving cipher E with the hash vessel 26, and the operation of Vj=(ulxl 
+cylju2 x2j+cy2jv-l) rjmod p is performed by the exponentiation computing element 27. The secrecy distribution section 31 consists of a 
;ecrecy distribution machine 32 and a distributed secrecy verification machine 33, and the secrecy value Vj is distributed by Vjk with a with a 
hreshold [ of 2t ] verifiable secrecy variational method, the dispersion which the secrecy restoration procedure to the exponent part of Vk is 
performed with the exponent part secrecy restoration vessel 34, and uses wl of Dl, «, Dn as a bottom with the BCH codeword verification 
vessel 35 - it is checked that a logarithm is the codeword of a BCH code. The broadcast mold communication link receiver 36, the broadcast 
nold communication link transmitter 37, the individual communication link receiver 38, and the individual communication link transmitter 39 
ire formed, and each part is made to carry out a sequential operation further by the control section 41 . 

0090] The same number is numbered and shown in the part which corresponds the functional configuration of the decode person equipment 
jsed for an example 3 at drawing 8 with drawing 7 . By the distributed multiplication means 43, value xlj* which distributed the product of a 
♦andom number r and a private key xl with the secrecy variational method of threshold t, same value x2j', ylj 1 , and y2j' are called for. The 
;ertification section 44 consists of the random-number generation machine 45, a exponentiation computing element 46, and **** multiplication 
ind an adder 47, and it proves that Vj is as a result of [ of ulxlj'+cylj'u2x2j'+cy2 j'v-rj modp ] count to other decode persons by zero 
•nformation certification. Verification under zero information certification procedure is performed by the exponentiation computing element 49 
ind comparator 51 of the verification section 48. 
0091] 

Effect of the Invention] Since the justification of a cipher is verified by verifying whether the value which carried out the exponentiation of the 
/alue of the verification type at the time of the decode in a Cramer-Shoup code with the random number with which everyone of a decode 
person cannot know that value in this invention is set to 1, even if it exhibits the value which carried out the exponentiation, no information 
about the value in an original verification type is revealed. By proving to a third party that this value was created correctly by zero information 
certification, it can prove to a third party that the received cipher does not satisfy the original verification type. 

[0092] Furthermore, since the value of the verification type before carrying out a exponentiation is not revealed to all the decode person, either, 
also when not filling a verification type by performing count of carrying out a exponentiation by random numbers, by cooperation of a total- 
session person by distributed count, Even if there is an inaccurate person in a decode person, since an aggressor can get no profit, he is the safe 
decode approach with a threshold to the alternative cipher attack. 

[0093] Furthermore, since according to another viewpoint of this invention an inaccurate person is specified and a cipher is verified only using 
just data by making each decode person prove the justification of a count result by zero information certification, it is possible to verify by the 
computational complexity proportional to several n of a decode person. Moreover, when a right cipher is received by setting the open value of 
each decode person's proper that each decode person's count result serves as a codeword of a BCH code, and an addressee verifying first that a 
count result is a codeword, and performing zero information certification only when it is not a codeword, it is possible to perform efficient 
count, with traffic stopped. 

[0094] Furthermore, when other decode persons compute and exhibit the distributed private key which the inaccurate decode person has in 
cooperation with the case where an inaccurate person is specified Although it also becomes bored, even if 1/3 or more inaccurate persons exist 
oy enabling it to calculate a right result instead of the inaccurate decode person, as long as it is less than 1/2, it is possible to obtain a right 
verification result and a decode result. 
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"ECHNICAL FIELD 



Field of the Invention] This invention relates to the cipher verification approach that a decode person verifies the justification of a cipher 
specially, and its program documentation medium, about the safe code approach that the information about a decode person's private key does 
lot leak, also when the content of a communication link is kept secret when communicating by the electrical-communication system, and the 
:ontent of decode is exhibited. 
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'RIOR ART 

Description of the Prior Art] In a cryptosystem strong against a selection plaintext attack, a decode person verifies that the transmitting person 
►fa cipher knows the original plaintext by a certain approach. A Cramer-Shoup code Paper R.Cramer and V.Shoup:" A 'practical public key 
ryptosystem provablysecure against adaptive chosen Were proposed by chipertext attack 11 , Advances in Cryptology-CRYPTO'98 and LNCS 
:462, Springer- Verlag, pp.13-25, and 1998. It is the public-key-encryption approach that it can prove that it is strong to an accommodative 
.election cipher attack under an assumption which is called existence of a general purpose one direction nature Hash Function and the difficulty 
>f a Diffie-Hellman judging problem and which is believed widely. A Cramer-Shoup code is the code approach supposing one person's decode 
>erson with one private key corresponding to one public key. 

0003] By the Cramer-Shoup code approach that it is already known in the case of the 1 decode person that it is strong to an accommodative 
••election cipher attack First, choose the big prime factors p and q so that q may divide p-1, and the origin gl and g2 of the subgroup Gq of the 
>rder q of a multiplicative group Zp is used. It is **(xl, x2, yl, y2, z) Zq5 about a private key. A public key is set to lxlg 2 x2mod p of X=g, 
ly lg2of Y=g y2mod p, and Z=glz mod p. The cipher E over plaintext m**Gq consists of (ul, u2, v, e), and the cipher created correctly 
;atisfies ul=glr mod p, u2=g2r mod p, c=H (ul, u2), v=Xr Ycrmod p, and e-mZr mod p to a certain random number r. First, c=H (ul, u2) is 
;alculated and it verifies whether a cipher fills verification type ulxl+cylu2 x2+cy2**v (mod p), the decode person who received this cipher 
efuses decode of that cipher, when not filling, when filling, calculates m=e/ulz modp and gets Plaintext m. 

0004] By the above-mentioned verification type, a decode person can check that the maker of a cipher knows the original plaintext m. Since 
lecode is refused to the unjust cipher with which a verification type is not filled, as for an aggressor, information with useful any is not 
icquired, either. However, when refusing decode by this cipher verification approach as a result of verification, it is actually difficult to prove 
he information concerning [ that the cipher verified to the third party does not serve as V!=v (mod p) as inaccurate / 2 (mod p) /, i.e., 
/**ulxl+cylu2 x2+cy, and ] V, without leaking information in any way. 

0005] Furthermore, by secrecy distribution distributing a corresponding private key to two or more partial private keys to one public key, and 
naking this hold to two or more decode persons so that it may often be carried out by an EIGamal cryptosystem etc. As opposed to an unjust 
:ipher with which a verification type is not filled in this code decode approach when the decode person of the manpower exceeding a threshold 
:ooperates and it applies the decode with a threshold which enables it to decode a cipher Since the count result V of left part u 1 x 1 +cy 1 u2 
<2+cy2 of a verification type becomes known to two or more decode persons, when the decode person who conspired with the aggressor exists, 
information is revealed to an aggressor and the safety to a selection cipher attack cannot be maintained. 

•0006] the decode approach with a threshold -- paper V.Shoup and R.Gennaro: "Securing threshold cryptosystems against chosen ciphertext 
attack", Advances in Cryptology-EUROCRYPT, 98, LNCS 1403, Springer-Verlag, and pp.1- 16 and 1998 It is shown under an assumption 
:alled existence of random Oracle that the proposed method is strong to an accommodative selection cipher attack. 

[0007] However, an assumption called random Oracle can obtain no guarantee about the safety, when it is very unreal and random Oracle is 
replaced and used for the Hash Function considered that the usual collision is difficult. 
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•FFECT OF THE INVENTION 



Effect of the Invention] Since the justification of a cipher is verified by verifying whether the value which carried out the exponentiation of the 
alue of the verification type at the time of the decode in a Cramer-Shoup code with the random number with which everyone of a decode 
>erson cannot know that value in this invention is set to 1, even if it exhibits the value which carried out the exponentiation, no information 
tbout the value in an original verification type is revealed. By proving to a third party that this value was created correctly by zero information 
:ertification, it can prove to a third party that the received cipher does not satisfy the original verification type. 

0092] Furthermore, since the value of the verification type before carrying out a exponentiation is not revealed to all the decode person, either, 
tlso when not filling a verification type by performing count of carrying out a exponentiation by random numbers, by cooperation of a total- 
session person by distributed count, Even if there is an inaccurate person in a decode person, since an aggressor can get no profit, he is the safe 
lecode approach with a threshold to the alternative cipher attack. 

0093] Furthermore, since according to another viewpoint of this invention an inaccurate person is specified and a cipher is verified only using 
ust data by making each decode person prove the justification of a count result by zero information certification, it is possible to verify by the 
:omputational complexity proportional to several n of a decode person. Moreover, when a right cipher is received by setting the open value of 
;ach decode person's proper that each decode person's count result serves as a codeword of a BCH code, and an addressee verifying first that a 
:ount result is a codeword, and performing zero information certification only when it is not a codeword, it is possible to perform efficient 
;ount, with traffic stopped. 

0094] Furthermore, when other decode persons compute and exhibit the distributed private key which the inaccurate decode person has in 
:ooperation with the case where an inaccurate person is specified Although it also becomes bored, even if 1/3 or more inaccurate persons exist 
>y enabling it to calculate a right result instead of the inaccurate decode person, as long as it is less than 1/2, it is possible to obtain a right 
/erification result and a decode result. 
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TECHNICAL PROBLEM 



Problem(s) to be Solved by the Invention] In a Cramer-Shoup code, the object of this invention, without leaking the information about the 
value in a verification type entirely When the justification of a cipher can be verified and it is shown that the value of a verification type is not 
just When the decode person of further plurality [ prove / for a third party ] cooperates and verifies that the value is created correctly by zero 
information certification, even if there is an inaccurate person in a decode person The value of a verification type is to offer the cipher 
verification approach which is not revealed to a decode person, either, its program documentation medium, and its equipment. 
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vlEANS 



Means for Solving the Problem] The exponentiation of the value of the verification type at the time of the decode in a Cramer-Shoup code is 
:arried out with the random number with which everyone of a decode person cannot know the value, and the justification of a cipher is verified 
>y verifying whether the result of having carried out the exponentiation is set to 1. Count of carrying out a exponentiation by these random 
lumbers, by carrying out by cooperation of a total-session person by distributed count Also when not filling a verification type, the value of the 
/erification type before carrying out a exponentiation is revealed to no decode person, and it is got blocked. When not just Since calculated 
/alue turns into a value which is not 1 and the exponentiation of the value is carried out by the random numbers, even if the value by which the 
ixponentiation is carried out is shown and it is shown that calculated value is not 1, i.e., are not just, the value in front of the exponentiation is 
bidden, and there is no possibility that information may leak. 

•0010] Setting n persons' decode person to Pl-Pn, each decode person Pj (j= 1, 2, --, n) shall have the open value wj of a proper, (xl, x2, y 1, 
/2, z) **Zq5 It distributes with the secrecy variational method of threshold t, and let the secrecy value (x2 j and yl j, y2 xlj, j, zj) 
;orresponding to a value wj be the decode person's Pj private key. 

001 1] Moreover, let Xj=glxlj g2 x2j mod p, Yj=gly lj g2y2j mod p, and Zj=glzjmod p (Xj, Yj, Zj) be the decode person's Pj public keys. It 
Considers as the public key which uses lxlg 2 x2mod p of X=g, lylg2of Y=g y2mod p, and Z=glz mod p (X, Y, Z) for encryption. It shall 
;onnect by the safe channel between each decode person equipment, and each decode person equipment shall use the broadcast mold channel it 
is guaranteed to be to receive a content with other all the members' same decode person equipment. 

, 0012] E= (ul, u2, v, e) is made into the cipher of the plaintext m enciphered by the Cramer-Shoup code approach. Decode person equipment 
performs a distributed random-number generation procedure in cooperation, and the decode person's Pj equipment acquires the secrecy value 
!j. Here, rj is a secrecy value corresponding to the value wj at the time of distributing random-number r**Zq with the secrecy variational 
method of threshold t, and is the value which can recover r with a secrecy decode procedure from the secrecy value of t+1 piece of arbitration. 
Moreover, each decode person equipment cannot know the value of r, but r becomes the random integer of under or more Oq from the property 
of a distributed random-number generation procedure. 

[0013] The equipment of each decode person Pj who received E calculates c=H (ul, u2) and Vj=(ulxl j+cy lju2 x2j+cy2jv-l) rjmod p. 
Furthermore, Vj is distributed with a with a threshold [ of 2t ] verifiable secrecy variational method, and the secrecy value Vjk corresponding to 
a value wk (k= 1, 2, --, n, k!=j) is transmitted through a channel safe for each decode person's Pk equipment. After receiving Vjk from all other 
decode person equipments, the decode person's Pk equipment transmits Vk to all other decode person equipments through a broadcast mold 
channel. As for each decode person equipment, each Vk which received verifies using Vkj that it is a right value. 
[0014] 2t+l piece is chosen among the right and checked Vk, and it investigates whether the value V restored with the secrecy restoration 
procedure to exponent part, i.e., xlk+cy lk, and x2k+cy2k is equal to 1. If not equal, a secrecy restoration procedure will be similarly repeated 
in other combination, and if a restoration value is all equal to 1 about no 2t+l piece combination, decode will be refused and it will stop. 
[0015] the private key restoration procedure as opposed to [ when each decode person equipment calculates according to the above-mentioned 
procedure ] the exponent part from the right Vk of the arbitration beyond 2t+l piece - V=(ulxl+cylu2 x2+cy2v-l) r mod p - V can be 
restored, here, in cooperation with [ V / V makes p law and ] 1 - if it becomes - Cramer-Shoup - in cooperation with [ the original value of 
verification type ulxl+cy lu2 x2+cy2 in law ] v. On the other hand, when V becomes in cooperation with 1, it is in cooperation with [ an 
original verification type ] v or a random number r is 0. However, the probabilities for the random number r generated in the distributed 
random-number generation procedure to be set to 0 are 1/q, and since they are small enough, they can be disregarded. Therefore, V can 
consider in cooperation with [ an original verification type ] v, when in cooperation with 1. 

[0016] Here, it is assumed that there are a maximum of t decode persons who commit injustice, these t persons - (1) - it is made for the value 
V of the verification type to the unjust cipher E to be set to 1 - (2) - it can deviate from the above-mentioned procedure for two kinds of the 
object of** of making it the value V of the verification type to the just cipher E not set to 1 [ or ] First, in order to make the object of (1) 
successful, it must be made for the value of V restored from a certain 2t+l piece Vk to be set to 1. However, before all decode person 
equipments including inaccurate person equipment get to know the value of Vk which other decode person equipments take out Since the value 
of Vk of self-equipment cannot be changed after having to distribute the value of one's Vk by the verifiable secrecy distribution approach and 
getting to know the value of Vk of other decode person equipments Only when the anticipation about Vk of other decode person equipments 
comes true, an inaccurate decode person can attain the object of (1). The probabilities for anticipation to come true are 1/q, and since they are 
small enough, they can be disregarded. Next, since an inaccurate person is at most t persons and, as for other 2t+l person equipments, the right 
value is transmitted even if inaccurate decode person equipment transmits what kind of unjust value Vk about the case of (2), the whole of at 
least one kind can take the set which consists of 2t+l piece Vk of a right value, and V= 1 is restored from such a set. 

[0017] Since one value of r which fills V=(ulxl+cylu2 x2+cy2v-l) r mod p to any values of ulxl+cylu2 x2+cy2 about informational leakage 
when V is not 1 becomes settled Even if the value of (ulxl+cy Iu2 x2+cy2v-l) is randomized by r and shows this randomized value, the value 
before being randomized by r does not leak, that is, the information about ulxl+cy lu2 x2+cy2 does not leak at all by the above-mentioned 
verification approach. 

[0018] As mentioned above, without leaking the information about a private key entirely, if the decode person who commits injustice 
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iccording to this invention is less than [ of all decode persons ] 1/3, by cooperation of two or more decode person, it is possible to calculate a 
/erification type equivalent to the verification type of the original Cramer-Shoup code approach, and, therefore, two or more decode person's 
:ode decode equipment strong against an accommodative selection cipher attack can be constituted. 

0019] When n decode persons are in the above technique, to n data for verification (VI, --, Vn) received from all decode person equipments, 
iach decode person equipment takes out 2t+l piece data, and verifies whether a certain verification type is satisfied. When not satisfied, this 
/erification is performed to all the 2t+l piece combination that can be taken to n pieces. Therefore, in not satisfying a verification type, it has 
he fault that computational complexity increases exponentially, to several n of a decode person. 

0020] According to another viewpoint of this invention, in the code decode approach by two or more decode persons, the cipher verification 
approach and its program documentation medium of a code strong against the accommodative selection cipher attack which can be recovered 
;ven if it can perform count efficiently also to many decode persons and 1/3 or more decode persons perform injustice are offered. That is, as a 
neans to reduce the computational complexity to the number of decode persons, by making each decode person equipment prove the 
.ustification of that result by zero information certification, an inaccurate person is specified and, according to another viewpoint of this 
invention, a cipher is first verified only using just data. By doing so, it is possible to verify by the computational complexity proportional to 
several n of a decode person. However, since there is much traffic, when injustice hardly happens, effectiveness is bad [ the zero information 
unification used in this case ]. When a right cipher is received by setting the open value of each decode person's proper that the count result of 
sach decode person equipment serves as a codeword of a BCH code, and addressee equipment verifying that a count result is a codeword, and 
performing zero information certification only when it is not a codeword, it becomes possible to perform efficient count, with traffic stopped. 
[0021] If based on this approach, the number of the inaccurate persons who can approve is to t persons who fill 3t+l>n, and when a safe system 
with more high tolerance is desired, it is unsuitable. Moreover, although it also becomes bored when an inaccurate person is less than [ 1/3 or 
more ] 1/2, and other decode person equipments compute and exhibit the distributed private key which the inaccurate decode person has in 
cooperation with the case where an inaccurate person is specified as a means, a technical problem is solved by enabling it to calculate a right 
result instead of the inaccurate decode person. 

[0022] The concrete means is as follows, n persons' decode person is set to Pl-Pn, and the open value wj of a proper is assigned to each decode 
person Pj. Threshold t which fills 3 t<n is defined, (xl, x2, yl, y2, z) **Zq5 It distributes with the secrecy variational method of threshold t, 
and let the secrecy value (x2 j and y 1 j, y2 x 1 j, j, zj) corresponding to a value wj be the decode person's Pj private key. 
[0023] Moreover, let Xj=glxlj g2 x2j mod p, Yj=glylj g2y2j mod p, and Zj=glzjmod p (Xj, Yj, Zj) be the decode person's Pj public keys. It 
considers as the public key which uses lxlg 2 x2mod p of X=g, lylg2of Y=g y2mod p, and Z=glz mod p (X, Y, Z) for encryption. It shall 
connect by the safe channel between each decode person equipment, and each decode person equipment shall use the broadcast mold channel it 
is guaranteed to be to receive a content with other all the members' same decode person equipment. 

[0024] E= (ul, u2, v, e) is made into the cipher of the plaintext m enciphered by the Cramer-Shoup code approach. Decode person equipment 
performs a distributed random-number generation procedure in cooperation, and the decode person's Pj equipment acquires the secrecy value 
rj. Here, rj is a secrecy value corresponding to the value wj at the time of distributing random-number r**Zq with the secrecy variational 
method of threshold t, and is the value which can recover r with a secrecy decode procedure from the secrecy value of t+1 piece of arbitration. 
Moreover, each decode person cannot know the value of r, but r becomes the random integer of under or more Oq from the property of a 
distributed random-number generation procedure. 

[0025] Next, all decode person equipments cooperate, and perform a distributed multiplication means, and each decode person's Pj equipment 
obtains secrecy value xlj', x2j', y lj', and y2j'. Secrecy value xlj' is a value which distributes the product of a random number r and a private 
key xl with the secrecy variational method of threshold t, and is acquired, and can decode xlj' to r-xl (mod q) which t+1 person's decode 
person of arbitration has here, r and x2 (mod q), r-y 1 (mod q), and r-y2 (mod q) can be similarly restored from the value of t+1 piece of 
arbitration about secrecy value x2j', ylj', and y2j', respectively. 

[0026] Each decode person Pj equipment which received E calculates c=H (ul, u2) and Vj=ulxlj'+cylj'u2x2j'+cy2 j'v-rj mod p, and transmits 
Vj to all other decode person equipments through a broadcast mold channel. Next, each decode person equipment checks that the exponent part 
of (VI, --, Vn) is the codeword of a BCH code. When it becomes clear not the codeword of a BCH code but that it is not right, the exponent 
part of (VI, -, Vn) each decode person's Pj equipment It proves to other decode persons by zero information certification, without leaking the 
information concerning [ that Vj is as a result of / of ulxlj'+cy Ij'u2x2j'+cy2 j'v-rj mod p / count, and ] xlj', x2j', ylj', y2j', and rj. 
[0027] It considers that the decode person Pj who failed in certification is an inaccurate person, and other decode person equipments recover 
secrecy value xlj' of the deviation person who is the inaccurate person, x2j', ylj', y2j', and rj using secrecy value recovery procedure, and he 
exhibits the value of the right Vj. The rights (VI, --, Vn) including the value of the exhibited right Vj are obtained. After the exponent part of 
(VI, --, Vn) checks the right thing and that it is a codeword, the secrecy restoration procedure to exponent part restores a value V. Each decode 
person equipment investigates whether V is equal to 1, and if not equal, decode will be refused and it will stop. 

[0028] If equal, each decode person's Pj equipment will calculate Dj=ulzjmod p, and will transmit it to all other decode person equipments 
according to a broadcast mold channel. Each decode person equipment which received Dj verifies the codeword same with having carried out 
to (VI, -, Vn) to (Dl, -, Dn), when injustice is detected, performs zero information certification similarly, specifies an inaccurate person, and 
it recovers the value of the right Dj using secrecy value recovery procedure. 

[0029] From the right (Dl, --, Dn), with the secrecy restoration procedure to exponent part, each decode person equipment restores D=ulz mod 
p, calculates m=e/Dmod p, and decodes Message m. the private key restoration procedure as opposed to [ when each decode person equipment 
calculates according to the above-mentioned procedure ] the exponent part from the right Vk of the arbitration beyond 2t+l piece -- V= 
(ulxl+cylu2 x2+cy2v-l) r mod p - V can be restored, here, in cooperation with [ V / V makes p law and ] 1 - if it becomes - Cramer-Shoup 
- in cooperation with [ the original value of verification type ulxl+cylu2 x2+cy2 in law ] v. On the other hand, when V becomes in 
cooperation with 1, it is in cooperation with [ an original verification type ] v or a random number r is 0. However, the probabilities for the 
random number r generated in the distributed random-number generation procedure to be set to 0 are 1/q, and since they are small enough, they 
can be disregarded. Therefore, V can consider in cooperation with [ an original verification type ] v, when in cooperation with 1. 
[0030] Here, it is assumed that there are a maximum of t decode persons who commit injustice, these t persons -- (1) it is made for the value 
V of the verification type to the unjust cipher E to be set to 1 - (2) - it can deviate from the above-mentioned procedure for two kinds of the 
object of** of making it the value V of the verification type to the just cipher E not set to 1 [ or ] However, the output of all decode person 
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equipments can detect the existence, if an unjust value is less than [ of the whole ] 1/3 when an unjust value exists since it is verified by 
:odeword inspection of a BCH code. In such a case, since each decode person proves the Tightness of an output value by zero information 
:ertification, the inaccurate person who outputted the unjust value fails in certification, and is eliminated. 

0031] About informational leakage, when V is not 1, since one value of r which fills V=(ulxl+cylu2 x2+cy2v-l) r mod p to any values of 
ilxl+cy lu2 x2+cy2 becomes settled, by the above-mentioned verification approach, the information about ulxl+cylu2 x2+cy2 does not leak 
it all. As mentioned above, without leaking the information about a private key entirely, if the decode person who commits injustice according 
o this invention is less than [ of all decode persons ] 1/3, by cooperation of two or more decode person, it is possible to calculate a verification 
ype equivalent to the verification type of the original Cramer-Shoup code approach, and, therefore, two or more decode person's code decode 
ipproach strong against an accommodative selection cipher attack can be constituted. 

0032] By computing and exhibiting the distributed private key which codeword inspection of a BCH code is not conducted, but zero 
nformation certification is always performed in the above-mentioned means on the other hand, an inaccurate person is specified, other decode 
arsons cooperate, and the inaccurate decode person has Although it also becomes bored, since a right result is calculable instead of the 
naccurate decode person, it can respond to less than 1/2 inaccurate person (in order to determine by majority that zero information certification 
.s right, one half of decode persons at least must be right). 
;0033] 

Embodiment of the Invention] The cipher verification approach which is the first example of this invention is explained to one or less 
example. The cipher created with cipher implementer equipment 1 1 as shown in drawing 1 is decoded with decode person equipment 12. If it is 
lot a right cipher, in order to avoid carrying out decode refusal freely with decode person equipment 12, it verifies whether decode refusal is 
appropriate with verification person equipment 13. 

[0034] There shall be the big prime factors p and q now, and q shall divide p-1. The origin gl and g2 of Gq is chosen at random. It considers as 
rhe public key which uses lxlg 2 x2mod p of X=g, lylg2of Y=g y2mod p, and Z=glz mod p for an encryption procedure. Here, it is **(xl, 
s2, yl, y2, z) Zq5. It carries out. The public key shall be exhibited with p, q, gl, and g2 as a open parameter. Moreover, the private key shall be 
stored on the memory of decode person equipment. 

J 0035] As shown in drawing 2 , after receiving cipher E= (ul, u2, v, e) of the plaintext m enciphered by the Cramer-Shoup code approach 
which used X, Y, and Z as the public key (SI), Decode person equipment generates a random number r (S2), and calculates c=H (ul, u2) and 
V=(ulxl+cy lu2 x2+cy2v-l) r mod p (S3). If V becomes one, this cipher will be considered as acceptance and (S4) and decode count will be 
performed (S5). 

[0036] If V is not 1, it will consider as a rejection. In order to prove that it is a rejection to a third party, BC (r) is exhibited using bit 
commitment function BC(). There are some which are depended on Pedersen in this bit commitment function. That is, a random number s is 
generated and it calculates with BC(r, s):=gr hs mod p. dispersion of h to which g and h use g as a bottom here -- it is under Gq whose 
logarithm is strange. 

[0037] r which constitutes BC (r, s), xl which constitutes public keys X and Y, x2, and y 1 and y2 - using - r mod p (ulxl+cy lu2 x2+cy2v-l) 
- it proves to a third party by zero information certification, without leaking the secrecy concerning [ that the result of having calculated is V, 
and ] r, xl, x2, and yl and y2 (S6). [ then, ] The following procedures perform this zero information certification. 

[0038] dispersion of h which uses g as a bottom for g and h below - it considers as the origin of Gq whose logarithm is strange, decode person 
equipment - random numbers a, al, a2, bl, and b2 - Zq -- choosing -- R=gr ha mod pRXl=Rxlhal modpRX2=Rx2ha2 modpRYl=Ry Ihbl 
modpRY2=Ry2hb2 modp - R, RX 1 , RX2, RY1, and RY2 are sent to verification person equipment. 

[0039] Furthermore, decode person equipment chooses a random number wO from Zq as random, and is K=g and L=gw0. mod p is sent to 
verification person equipment. Verification person equipment calculates B=Ke0Lel modp by choosing eO and el from Zq as random, and 
sends B to decode person equipment. 

[0040] Decode person equipment chooses random numbers wl-wl8 from Zq as random. Tl =gl wlg2 w2 mod pT2 =gl w3g2 w4 mod pT3 
=gw5gw6 mod pT4 = Rwlhw7 mod pT5 =Rw2hw8 mod pT6 =Rw3hw9 mod pT7 =Rw4hwlO mod pT8 = Calculate gwl 1 hwl2 mod pT9 
=gwl3 hwl4 mod pT10=gwl5 hwl6 mod pTl l=gwl7 hwl8 mod pT12=ulwl 1+cw15u2w13+cw17 v-w5 mod p. It sends to verification 
person equipment. 

[0041] Verification person equipment sends eO and el to decode person equipment. 

Decode person equipment checks that B=Ke0Lel modp is realized, and when not realized, it stops certification. When this is realized, Decode 
person equipment is zl=wl+e0 and xl modqz2=w2+e0 and x2 modqz3=w3+e0 and yl modqz4=w4+e0 and y2 modqz5=w5+e0 and r. 
modqz6=w6+e0anda modqz7=w7+e0 and al modqz8=w8+e0 and a2 modqz9=w9+e0 and bl modqzl0=wl0+e0 and b2 modqzl l=wl l+e0 and 
r-xl modqzl 2=wl2+e0 (a-xl+al) modqzl 3=wl3+e0, r, and x2 modqzl4=wl4+e0 (a and x2+a2) modqzl 5=wl5+e0 and r-yl 
modqzl 6=wl6+e0 (a-y 1+bl) modqzl 7=wl7+e0 and r-y2 modqzl 8=wl8+e0 (a-y2+b2) modq It calculates and zl-zl8, and wO are sent to 
verification person equipment. 

[0042] Verification person equipment L=gw0 modpgl zlg2 z2=Tl XeOmod pgl z3g2 z4=T2 YeOmod pgz5hz6=T3 Re0modpRzlhz7=T-four 
e(RXl)0mod P Rz2hz8=T5 e(RX2)0mod P Rz3hz9=T6 e(RYl)0mod P Rz4hzlO =T7 e(RY2)0mod pgzl 1 hzl2 =T8 e(RXl)0mod pgzl3 hzl4 
=T9 e(RX2)0mod It verifies that pgzlS hzl6 =T10(RY1) eOmod pgzl7 hzl8=Tl 1(RY2) eOmod plutoniumlzl Rczl5u2zl3+czl7 v-z5 
=T12Ve0mod p is realized. 

[0043] The principle of the upper certification is Schnorr. It is the same as that of a signature, and since a verification type is realized only 
when decode person equipment creates correctly V, X, Y, R, RX1, RX2, RY1, and RY2, when at least one is not realized, verification is 
considered as failure. 

The second example of this invention is explained to two or less example. As shown in drawing 3 R> 3, they are code implementer equipment 
1 1 and 121-12n of each equipment of the decode persons Pl-Pn. It connects with the broadcast mold channel 14, and is 121-12n of decode 
person equipment. It connects by the channel 1 5 safe for mutual. 

[0044] There shall be the big prime factors p and q now, and q shall divide p-1. The origin gl and g2 of Gq is chosen at random. First, n 
persons' decode person is set to Pl-Pn, and the open value wj of a proper is assigned to each decode person Pj (j = 1, 2, n). Threshold t which 
fills 3 t<n is defined. All decode person equipments perform the distributed random-number generation procedure of threshold t 3 times, and 
the decode person's Pj equipment acquires a secrecy value (x2 j and yl j, y2 xlj, j, zj), and makes this the decode person's Pj private key. 
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vloreover, let Xj=glxlj g2 x2j mod p, Yj=glylj g2y2j mod p, and Zj=glzjmod p (Xj, Yj, Zj) be the decode person's Pj public keys, 
furthermore, it considers as the public key which uses lxlg 2 x2mod p of X=g, ly lg2of Y=g y2mod p, and Z=glz mod p for an encryption 
)rocedure. Here, it is **(xl, x2, yl, y2, z) Zq5. It is the random number restored by the secrecy restoration procedure from t+1 set of secrecy 
✓alues (x2 j and yl j, y2 xlj, j, zj) of arbitration. There is an approach by Pedersen in the distributed random-number generation procedure 
which generates such a random number. Below, the distributed random-number generation procedure is shown. 

0045] Between each decode person equipment, as shown in drawing 3 , there shall be a safe channel 15 and each decode person equipment 
ihall use the broadcast mold channel 14 it is guaranteed to be to receive a content with other all the members' same decode person equipment. 
3-1) the equipment of Pj - two polynomials on Zq - f(X) =a0 j+aljX+~+atjXt And gj (X) =b0 j+bljX+--+btjXt random - choosing - every - 
fj (wk) and g) (wk) are transmitted to the equipment except for 1,2, --, n, and k=j k= - of Pk through a safe channel. 

•0046] S-2) The equipment of Pj calculates Cipglaij g2bij mod p to i= 1, --, t, and transmits it to all other decode person equipments through a 
oroadcast mold channel. 

3-3) The equipment of Pk which received Cij from all other decode person equipments is glfj(wk) g2gj(wk) =C0jwk0 and Cljwkl as wki=wki 
:nod q. - It verifies that Ctjwkt mod p is realized. 

[0047] S-4) The equipment of Pk is xl k=fl(wk)+f2(wk)+. - They are +fn(wk) mod q and x2k=gl(wk)+g2(wk)+. - Distributed random- 
number value xlk and x2k are obtained as +gn(wk) mod q. 

S-5) X=C00, C01 - It is referred to as COn modp. Private key y Ij, y2j, and zj to which public keys Y and Z and each decode person correspond 
similarly are also created similarly. 

[0048] All decode person equipments generate distributed random-number r**Zq with a distributed random-number generation procedure, and 
each decode person's Pj equipment holds the secrecy value rj ( drawing 5 , SI). After receiving cipher E= (ul, u2, v, e) of the plaintext m 
enciphered by the Cramer-Shoup code approach which used X, Y, and Z as the public key (S2), each decode person's Pj equipment calculates 
c=H (ul, u2) and Vj=(iilxl j+cy lju2 x2j+cy2jv-l) rjmod p (S3). 

[0049] Then, the equipment of Pj distributes Vj with a with a threshold [ of 2t ] verifiable secrecy variational method, and the secrecy value 
Vjk corresponding to a value wk is transmitted through a channel safe for each decode person's Pk equipment (S4). The approach of Pedersen 
can be used for the verifiable secrecy variational method used here. The following is the procedure. 

P-l) g and h which there are the big prime factors P and Q, and Q divides P-l, and are made into Q>p are GQ whose value of log g h is strange. 
It considers as origin. 

[0050] P-2) the equipment of Pj - ZQ Two upper polynomials fj (X) =Vj+aljX+--+atjXt And gj (X) =b0 j+bljX+--+btjXt (however, it 
considers as aO j=Vj) -- the part of Vj -- removing - random - choosing - every - fj (wk) and gj (wk), i.e., Vjk, are transmitted to the 
equipment of Pk through a safe channel. 

P-3) The equipment of Pj calculates Cij=gaij hbij mod p to i= 1, -, t, and transmits it to all other decode person equipments through a broadcast 
mold channel. 

[005 1 ] P-4) The equipment of Pk which received Cij is gfj(wk) hgj(wk) =C0jwk0 and C ljwkl as wki=wki mod q. - It verifies that Ctjwkt mod 
p is realized, that is, Vjk is verified (S5). 

P-5) When not realized, the equipment of Pk transmits a "rejection" to all other decode person equipments through a broadcast mold channel. 
[0052] When advice of P-6 "a rejection" is t+1 or more pieces, it is considered that Pj is an inaccurate person, it is eliminated (S6), and all other 
decode person equipments discard all the information that the equipment of Pj transmitted before. The step of P-4, and 5 and 6 is the procedure 
of performing verification of the distributed secrecy value Vjk, and an inaccurate person's abatement, and after all decode person equipments 
finish transmitting data, you may carry out by releasing a rejection list collectively. 

[0053] After all decode person equipments distribute Vj with the above-mentioned procedure, each decode person's Pj equipment transmits Vj 
and bOj to all other decode person equipments through a broadcast mold channel (S7). The equipment of each decode person Pj who received 
this checks that CO j=glVjhb0j mod p is realized, and verifies Vj (S8). When not realized, like the above, a "rejection" is notified to all other 
decode person equipments, and an inaccurate person is eliminated (S9). 

[0054] 2t+l piece is chosen as arbitration from the right and all checked Vk(s) (S10), and it investigates whether the value V restored with the 
secrecy restoration procedure to exponent part is equal to 1 (SI 1). The secrecy restoration procedure to exponent part is reference. Cramer, 
et.al: "A seure and Optimally Efficient Multi-Authority Election Scheme", Advances in Cryptology-Eurocrypt'97, LNCS 1233 Springer- 
Verlag, pp. 103-1 18, and 1997 It is detailed. The restoration procedure to the exponent part at the time of setting to alpha the set of the index k 
of 2t+l piece Vk chosen as below is shown. The secrecy value of exponent part presupposes that it is the secrecy value acquired with the 
verifiable secrecy variational method of Pedersen. 
[0055] R-l) It is a Lagrange interpolation multiplier first [0056] 
[Equation 1] 

=n kea , k^ji/Crk) 

It calculates by carrying out. 
R-2) Next, [0057] 
[Equation 2] 

V = n je = a V,*J-« mod p 

It calculates. If V is not 1, a secrecy restoration procedure will be similarly repeated in other 2t+l piece combination (S12). If a restoration 
value is all equal to 1 about no combination, a rejection will be notified and it will stop. 

[0058] If there is combination set to 1 at least one, this cipher will be considered as acceptance. Each decode person's Pj equipment calculates 
Dj=ulzjmod p, as shown in drawing 4 R> 4 (SI), and it transmits it to all other decode person equipments according to a broadcast mold 
channel (S2). the dispersion to which each decode person equipment which received Dj uses ul of Dl, --, Dn as a bottom - by checking that a 
logarithm is the codeword of a BCH code, if it is (S4) and a codeword, the secrecy restoration procedure to the above-mentioned exponent part 
will restore D=ulz mod p (S5), m=e/D modp will be calculated, and Message m will be decoded (S6). If it is not a codeword in step S4, what is 
made to prove the Tightness of count and cannot be proved by zero information certification will be discarded as inaccurate Di (S7). 
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Hie third example of this invention is explained to three or less example. 

•0059] A safe channel shall be between each decode person equipment, and each decode person equipment shall use the broadcast mold 
:hannel it is guaranteed to be to receive a content with other all the members' same decode person equipment. There shall be the big prime 
factors p and q and q shall divide p-1 . The origin gl and g2 of Gq is chosen at random. First, n persons' decode person is set to Pl-Pn, and the 
open value wj of a proper is assigned to each decode person Pj. Threshold t which fills 3 t<n is defined, 

i"0060] First, the secrecy distribution approach by Pedersen is shown. First, g and h It considers as the origin of Gq whose logg h is strange. The 
equipment of the portioner P who distributes the secrecy values aO and bO is t-th two polynomials f(X) =aO+alX+ on Zq. - It is +atXt and g(X) 
=bO+blX+. - It is +btXt. Except for aO, it chooses at random, and f (wj) and g (wj) are sent to each addressee's Pj equipment through a safe 
:hannel. 

;0061] Next, the commitment value Ei of each multiplier is calculated like Ei=gaihbimod p to i= 0, --, t, and it opens to the public through a 
broadcast mold channel. Each equipment of Pj which received these is gf (wj) as uji=wji mod q. hg (wj) =E0uj0 Elujl - It verifies that Etujt 
nod p is realized. This EOujO Elujl - The value of Etujt mod p is called the commitment to the distributed secrecy value of Pj. If the 
;ommitment value of each multiplier is exhibited, anyone can also calculate the commitment to which distributed secrecy value of Pj. 
[0062] Below, it is Ped (aO, bO) about this secrecy distribution approach [g, h]. -> (aOj, bOj) (E0, --, Et) 

** - it writes like. (aO, bO) are confidential information distributed, each equipment of Pj is the distributed secrecy value received through a 
safe channel, and its (aOj, bOj) are equal to f (wj) and g (wj) respectively. (E0, --, Et) are commitment values of each multiplier exhibited 
through a broadcast mold channel, [g, h] express the bottom used in case a commitment is created. As long as there is especially no notice 
about the above-mentioned notation, the multiplier of the polynomial except a constant term shall be chosen at random. . 
[0063] Thus, from the distributed secrecy value, when polynomial interpolation recovers the original secrecy, the holder of each distributed 
secrecy value exhibits the value first. It is gaOj hbOj =E0uj0 Elujl to the exhibited value (aOj, bOj). - It checks that Etujt modp is realized. The 
set which that index j makes is set to alpha about t+1 (aOj, bOj) of arbitration of which this formula consists. It is a Lagrange interpolation 
multiplier [0064] 
[Equation 3] 

=n ke a, k*ii/(HO mod q 

It is [0065] when it carries out. 
[Equation 4] 

S je a<Ua aOj mod q = a0 

A next door and aO are recoverable. bO is recoverable similarly. The above-mentioned secrecy distribution approach can completely be 
similarly performed, even if it uses only one bottom. In such a case, it is written as Ped(aO) [g] -> (aOj) (E0, --, Et). 

[0066] The random number distributed in cooperation by two or more persons is generable using this secrecy distribution approach. First, the . 
equipment of Pi chooses random numbers ai and bi from Zq, and is this Ped(ai, bi) [g, h] -> (aij, bij) (EiO, --, Eit) 

** - it distributes like. All the members of Pl-Pn perform this. Then, the equipment of Pj receives (alj, blj), -, (anj, bnj) from a safe channel, 
and receives (E10, --, Elt), --, (EnO, --, Ent) from a broadcast mold channel. At this time, it is the distributed secrecy value (xlj, x2j) of Pj 
xlj=alj+ - +anj modq, x2j=blj+ - It is referred to as +bnj modq. The random-number value xl recovered from this distributed secrecy value 
is [0067]. 
[Equation 5] 

x 1 = S jea A kia x 1 j = a 1 Wan mod q 

The value is known by nobody until it comes out, and it is and recovery is performed. Moreover, the commitment value EXk of the k-th 
multiplier of the polynomial which makes this secrecy random-number value a constant serves as EXk=El k-E2 k--Enkmod p. Especially, it is 
cautious of it being EX0=gxlhx2mod p. This approach is called distributed random-number generation, and it is Rand([a], [b]) [g, h] -> (aj, bj) 
(E0, --, Et). 

It writes, ([a] [b]) is a random-number value generated and means that the value of [ ] is strange to every calculator, [g, h] - and [ of 
semantics ] (aj, bj) (E0, --, Et) is the same as that of the notation of the above-mentioned secrecy distribution. 

[0068] All decode person equipments are the distributed random-number generation procedure of threshold t Rand([xl], [x2]) [gl, g2] -> (xlj, 
x2j) (EX0, EXt) 

Rand([y 1], [y2]) [gl, g2] -> (y Ij, y2j) (EY0, --, EYt) 
Rand ([zl]) [gl] -> (zlj) (EZ0, --, EZt) 

** -- performing 3 times like, the decode person Pj acquires a secrecy value (x2 j and yl j, y2 xlj, j, zj), and makes this the decode person's Pj 
private key. Moreover, let Xj=glxlj g2 x2jmod p, Yj=gly lj g2y2j mod p, and Zj=gIzjmod p (Xj, Yj, Zj) be the decode person's Pj public keys. 
Furthermore, it considers as the public key which uses X=EX0=glxlg2 x2modp, Y=E Y0=g 1 y 1 g2y2mod p, and Z=EZ0=glz mod p for an 
encryption procedure. It is **(xl, x2, yl, y2, z) Zq5 here. It is the random number restored by the secrecy restoration procedure from t+1 set of 
secrecy values (x2 j and y 1 j, y2 x 1 j, j, zj) of arbitration. 

[0069] All decode person equipments perform distributed random-number generation procedure Rand ([r], [s]) [gl, g2] -> (rj, sj) (R0, --, Rt), 
and generate distributed random-number r**Zq, and each decode person's Pj equipment holds the secrecy values rj and sj ( drawin g 6 , SI). R 
is set to R=R0=glr g2second mod p here. 

[0070] Next, all decode person equipments obtain secrecy value xlj', x2j', ylj', and y2j' with a distributed multiplication means (S2). Secrecy 
value xlj' is a value which distributes the product of a random number r and a private key xl with the secrecy variational method of threshold t, 
and is acquired, and can decode rxl (mod q) here from xlj' which t+1 person's decode person of arbitration has. rx2 (mod q), ryl (mod q), and 
ry2 (mod q) can be similarly restored from the value of t+1 piece of arbitration about secrecy value x2j', y lj', and y2j', respectively. About such 
a distributed multiplication means, it performs as follows. 

[0071] The decode person's Pj equipment is Ped(xlj, x2j) [gl, g2] -> (xlji, x2 ji) (EXjO, EXjt). 

It performs. Each equipment of Pj calculates Rj=glrjg2sjmod p. This value Rj is Rj=R0uj0 Rlujl as uji=wji mod q. - Since you may calculate 
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ike Rtujt mod p, it is cautious of the ability of anyone to calculate. 

0072] Next, the polynomial used for distributing xlj and x2j by Ped (xlj, x2j) is used for the equipment of Pj as it is, and it is Ped(xlj, slj) 

Rj, g2] -> (xlji, slji) (ERX ljO, --, ERXljt). 

>ed(x2j, s2j) [Rj, g2] -> (xlji, s2ji) (ERX 2j0, --, ERX2jt) 

t performs. However, slj and s2j also choose at random the polynomial which chooses at random and makes these a constant term. 
0073] To the last, the equipment of Pj is Ped(xl j-rj, xlj-sj+slj) [gl, g2] -> (rxlji, rslji) (ERX ljO, --, ERXljt). 
>ed(x2j-rj, x2j-sj+s2j) [gl, g2] -> (rx2ji, rs2ji) (ERX 2j0, --, ERX2jt) 
t carries out. 

0074] Each equipment of Pl-Pn performs the above-mentioned procedure. The equipment of Pi is the set (rxl li, -, rxlni) of a distributed 
;ecrecy value which received to a Lagrange interpolation multiplier [0075] 
Equation 6] 

1 j, a =n k( =a, k #ji/(H0 tLX* 
xlj' =S jEa ^.a rxlji mod q 

(t calculates. The set of the index of right xlj' is set to beta, and it is [0076] at the time of |beta|>=t+l . 
•Equation 7] 

E Je *Aj.* xl ]' =Zj 6 * E iea A i((r rxl i jl 

= 2ieaAu (Sje^j.* r x I i jl 
= S ie ^ u ri 'Xl i=r - xl 

Since a next door and multiplication result r-xl are recoverable, it turns out that xlj' is the t-th distributed secrecy value of r-xl. x2j' as well as 
<lj' is calculated. Furthermore, a distributed multiplication procedure is similarly performed and calculated about secrecy value ylj' and y2j\ 
•0077] After receiving cipher E= (ul, u2, v, e) to the plaintext m enciphered by the Cramer-Shoup code approach (S3), each decode person's Pj 
equipment c=H (ul, u2) and Vj=ulxlj , +cylj , u2x2j , +cy2 j'v-rj mod p are calculated, and Vj is transmitted to all other decode person equipments 
:hrough (S4) and a broadcast mold channel (S5). Next, as for each decode person equipment, the exponent part of (VI, --, Vn) checks that it is 
:he codeword of a BCH code (S6). A codeword verification procedure reference F.J.MacWilliams : "The Thory of Error Correcting Codes", 
North-Holland Mathematical Library, and pp.201-202 -- or M. Ben-Or and S.Goldwasser, A. Wigerson:" Completeness Theorems for Non- 
Cryptographic Fault-Tolerant Distributed Computation" and 20 th ACM Symposium on Theory It is detailed to of Computing, pp. 1-10, and 
1988. A codeword verification procedure is shown below. 

- w!=l is used as the n-th root of 1 in mod q, and it is referred to as xiij=wj (i-1) modq. 

- It is [0078] about j= 1, --, all 2t j. 
[Equation 8] 

V 1 * 1 j V 2 f2j - — V n pnj nod p = 1 

It checks becoming. When it becomes clear with the above-mentioned procedure that the exponent part of (VI, --, Vn) is not right, each decode 

person's Pj equipment It proves to other decode person equipments by zero information certification, without leaking the information 

concerning [ that Vj is as a result of / of ulxlj'+cy Ij'u2x2j'+cy2 j'v-rj mod p / count, and ] xlj', x2j\ ylj\ y2j\ and rj (S7). 

[0079] This zero information certification is performed as follows. However, by explanation of the procedure to following Pj, since Subscript j 

is attached to all variables, this is excluded and explained. First, distributed secrecy value xl' which Pj holds, x2\ yl\ y2\ and r are received, a, 

al, a2, and bl as a certain random number R=glr g2second mod pRX 1 =ERX 1 0=Rx 1 g2a 1 mod pRX2=ERX20=Rx2g2a2mod 

pR Y 1 =ER Y 1 0=Ry 1 g2b 1 mod pRY2=ERY20=Ry2g2b2mod The values R, RX1, RX2, RY1, and RY2 of a commitment p Becoming can be 

acquired from the commitment value of the multiplier exhibited with the distributed random-number generation means and the distributed 

multiplication means to anyone. 

[0080] Pj chooses a random number wO from Zq as random, and sends K=g and L=gw0mod p to other decode person equipments. Other 
decode person equipments cooperate and are Rand([e0], [el]) [K, L] -> (eOi, eli) (EeO, Eet). 
It performs and Ee0=Ke0Lelmod p is sent to the equipment of Pj. 

[0081] The equipment of Pj chooses random numbers wl-wl8 from Zq as random. Tl =glwlg2 w2 modpT2 = gl w3g2 w4 modpT3 
=gw5gw6 modpT4 =Rwlhw7 modpT5 = Rw2hw8 modpT6 =Rw3hw9 modpT7 =Rw4hwl0modpT8 = Calculate gwl 1 hwl2 mod pT9 =gwl3 
h w 1 4 mod pT 1 0=gw 1 5 h w 1 6 mod pT 1 1 =gw 1 7 hw 1 8 mod pT 1 2=u 1 w 1 1 +cw 1 5u2 w 1 3+cw 1 7 v-w5 modp. It sends to other decode person 
equipments. 

[0082] Other decode person equipments exhibit a distributed secrecy value, recover eO and el, and send them to the equipment of Pj. The 
equipment of Pj checks that Ee0=Ke0Lel modp is realized, and when not realized, it stops certification. When this is realized, The equipment 
of Pj Sl=wl+e0 and xlmod qS2=w2+e0andx2mod qS3=w3+e0andylmod qS4=w4+e0andy2mod qS5=w5+e0andr mod qS6=w6+e0anda mod 
qS7=w7+eO and almod qS8=w8+e0 and a2mod qS9=w9+eO and blmod qS10=wl0+e0 and b2mod qSl l=wll+e0 and r-xl mod qS12=wl2+eO 
(a-xl+al) mod qS13=w!3+eO, r, and x2mod qS14=w!4+eO(a and x2+a2) mod qS15=wl5+e0 and r-ylmod qS16=w!6+eO(a-yl+bl) mod 
qS 1 7=w 1 7+eO and r-y2mod qS 1 8=w 1 8+e0(a-y2+b2) mod q is calculated, and S 1 -S 1 8, and wO are sent to other decode person equipments. 
Other decode person equipments L=gw0 mod One slg of pg(s) 2 One s3g of s2=TT XeO modpg(s) 2 s4=T2 YeO modpgs5hs6=T3 ReO 
modpRslhs7-T-four e(RXl) 0 modpRs2hs8=T5 e(RX2)0mod pRs3hs9=T6 e(RYl)0mod P Rs4hslO =T7 e(RY2)0mod pgsl 1 hsl2 =T8 e(RXl) 
Omod pgs 1 3 hs 1 4 =T9 e(RX2)0mod It verifies that pgs 1 5 hs 1 6 =T 1 0(RY 1 ) eOmodpgs 1 7 hs 1 8 =T 1 1 (RY2) eOmod 
plutoniumlSl HcS15u2S13+cS17 v-S5=T12Ve0mod p is realized. 
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0083] Since a top type is realized only when the equipment of Pj creates correctly V, X, Y, R, RX1, RX2, RY1, and RY2, when not realized at 
east one, it considers verification as failure (explanation which omitted the subscript "j" above). It considers that the equipment of the decode 
>erson Pj who failed in certification is a deviation person, and other decode person equipments recover a deviation person's secrecy value xlj', 
<2j\ y lj 1 , y2j', and rj using secrecy value recovery procedure, and it exhibits the value of the right Vj. About secrecy value recovery procedure 
lere, it is reference, for example. A.Herzberg, et.al : "Proactive secret sharing or:How to cope with perpetual leakage", Advances in 
:ryptology-CRYPTO'95, LNCS 963, pp.339-352, Springer-Verlag, and 1995 It is detailed. The rights (VI, --, Vn) including the value of the 
exhibited right Vj are obtained. 

0084] After the exponent part of (VI, --, Vn) checks the right thing, the secrecy restoration procedure to exponent part restores a value V. 
lach decode person equipment investigates whether V is equal to 1, and if not equal, decode will be refused and it will stop (S8). If equal, each 
Jecode person's Pj equipment will calculate Dj=ulzjmodp like the case of drawing 4 . Transmit to all other decode person equipments 
iccording to a broadcast mold channel, and each decode person equipment which received Dj verifies the codeword same with having carried 
>ut by receiving to (Dl, --, Dn) (VI, --, Vn). When injustice is detected, zero information certification is performed similarly, a deviation 
)erson is specified, and the value of the right Dj is recovered using secrecy value recovery procedure. 

0085] Zero information certification here is performed as follows. The equipment of Pj chooses a random number dO from Zq as random, and 
;ends W=gl and Q=gl dO modp to other decode person equipments. Other decode person equipments cooperate and are Rand([c2], [c3]) [W, 
)] -> (c2i, c3i) (EcO, -, Ect). 

It performs and EcO=Wc2QC3 modp is sent to the equipment of Pj. 

X)086] The equipment of Pj chooses random numbers dl and d2 from Zq as random, calculates T12=gl dl modpT13=uldl modp, and sends it 
:o other decode person equipments. Other decode person equipments exhibit a distributed secrecy value, recover c2 and c3, and send them to 
;he equipment of Pj. 

'"0087] The equipment of Pj checks that EcO=Wc2QC3 modp is realized, and when not realized, it stops certification. When this is realized, the 
equipment of Pj calculates S0=dl+c2 and zlmod q, and sends SO and dO to other decode person equipments. Other decode person equipments 
/erify that Q=gl dO modpgl sO=T12Xjc2 modpuls0=T13Djc2 modp is realized. 

0088] Since a top type is realized only when the equipment of Pj creates Dj correctly, when not realized at least one, it considers verification 
is failure. From the right (Dl, --, Dn), with the secrecy restoration procedure to exponent part, each decode person equipment restores D=ulz 
nod p, calculates m^e/Dmod p, and decodes Message m. 

• 0089] The example of a functional configuration of the decode person equipment in an example 2 is shown in drawing 7 . The private key of 
<lj, x2j, y lj, y2j, and zj is memorized by memory 21, the open values wj, gl, g2, p, and q etc. are memorized, and since the information further 
ransmitted to the exterior and the information received from the outside are stored temporarily, memory 21 is used. The distributed random- 
aumber generation section 22 consists of the secrecy distribution machine 23, a distributed secrecy verification machine 24, and a distributed 
secrecy adder 25, and private key xlj, x2j, ylj, y2j, and zj are created by these, and the variance rj of a random number r is also generated. The 
Hash Function operation of c=H (ul , u2) is performed about the receiving cipher E with the hash vessel 26, and the operation of Vj=(ulxl 
j+cy lju2 x2j+cy2jv-l) rjmod p is performed by the exponentiation computing element 27. The secrecy distribution section 31 consists of a 
secrecy distribution machine 32 and a distributed secrecy verification machine 33, and the secrecy value Vj is distributed by Vjk with a with a 
threshold [ of 2t ] verifiable secrecy variational method, the dispersion which the secrecy restoration procedure to the exponent part of Vk is 
performed with the exponent part secrecy restoration vessel 34, and uses wl of Dl, ~, Dn as a bottom with the BCH codeword verification 
vessel 35 - it is checked that a logarithm is the codeword of a BCH code. The broadcast mold communication link receiver 36, the broadcast 
mold communication link transmitter 37, the individual communication link receiver 38, and the individual communication link transmitter 39 
are formed, and each part is made to carry out a sequential operation further by the control section 41 . 

[0090] The same number is numbered and shown in the part which corresponds the functional configuration of the decode person equipment 
used for an example 3 at drawing 8 with drawing 7 . By the distributed multiplication means 43, value xlj' which distributed the product of a 
random number r and a private key xl with the secrecy variational method of threshold t, same value x2j', y lj\ and y2j' are called for. The 
certification section 44 consists of the random-number generation machine 45, a exponentiation computing element 46, and **** multiplication 
and an adder 47, and it proves that Vj is as a result of [ of ulxlj'+cy Ij , u2x2j'+cy2 j'v-rj modp ] count to other decode persons by zero 
information certification. Verification under zero information certification procedure is performed by the exponentiation computing element 49 
and comparator 51 of the verification section 48. 
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DESCRIPTION OF DRAWINGS 



Brief Description of the Drawings] 

■ Drawing 1] Drawing showing the system configuration of the example 1 of this invention. 

Drawing 2] The flow chart showing the verification operations sequence of the decode person equipment in the example 1 of this invemion. 
[Drawing 3] Drawing showing the system configuration of the example 2 of this invention. 

[Drawing 4] The flow chart showing the decode operations sequence of the decode person's Pi equipment in the example 2 of this invention. 
[Drawin g 5] The flow chart showing the verification operations sequence of the decode person's Pi equipment in the example 2 of this 
invention. 

[Drawing 6] The flow chart showing the verification operations sequence of the decode person's Pi equipment in the example 3 of this 
invention. 

[Drawing 7] Drawing showing the functional configuration of the decode person equipment in an example 2. 
[D rawing 8] Drawing showing the functional configuration of the decode person equipment in an example 3. 
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